We have a self-hosted Enterprise Search instance with sensitive search data in it. A permanent public search API key doesn't meet our security standards.
What is the best way to ensure that only authenticated users can access the search endpoint? Our users are authenticated through AWS Cognito.
Thanks a lot in advance.
If a public search key does not meet your standards, then I would recommend proxying the search endpoint through your own API endpoint, which would implement whatever security protocols you wish.
@JasonStoltz thanks, will look into doing that. However, I'm currently using the SearchUI to handle all search requests - do you know of an easy way to add extra headers into the query - for the authentication token?
Sure. The App Search API connector is configured to pass through any additional options to the underlying API client: search-ui/packages/search-ui-app-search-connector at master · elastic/search-ui · GitHub. The underlying api client supports an additionalHeaders option, so you can use that: GitHub - elastic/app-search-javascript: Elastic App Search Official JavaScript Client.
Worked like a charm, thank you!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.