I'm using app search with search ui GitHub - elastic/search-ui: Search UI. Libraries for the fast development of modern, engaging search experiences. Everything looks great about search ui except security. All keys Credentials (searchKey,host identifier,engineName) are visible in api call. I thoug…

Hey @Swapnil_Ghorpade . We consider it safe to expose Public Search Keys. They have limited, read-only access. Did you have a specific concern around that? There are instructions and an example for using Search UI with other back ends here: https://github.com/elastic/search-ui/blob/master/ADVANCED.m…

@Swapnil_Ghorpade You could set up a thin proxy to our API that handles authentication and injects the correct authentication token, and then point Search UI at your proxy server. There is an endpointBase configuration option that lets configure the URL where the App Search API is located.

hey @JasonStoltz I didn’t get that. could you please elaborate a bit , how to use this ?

If you need to protect search and put it behind a login, then you'll need to make the API requests to App Search server-side. One way to do that, would be to create your own search endpoint that just proxies our App Search API. Browser -> Your Server -> App Search API Your server could just pass t…

@JasonStoltz thanks for the responding. yes..it's look like this will work.

hey thank you @JasonStoltz I have a question, I think it will add unnecessary load on own server to just forward request to app-search on every time users do search? is there any other way to handle this case?

@Swapnil_Ghorpade If your documents are private, then I think you must make these calls on the server side, behind your authentication. I don't think there's any way around that.

Security - how to avoid exposing app search keys (searchKey,host identifier,engineName) in search ui

Elastic Search

Swapnil_Ghorpade (Swapnil G) November 18, 2019, 7:10am 3

@JasonStoltz yeah documents are private thats why...
If anyone get these keys then he can easily access documents without logging which I don't want.

Could you please suggest any better way to handle this?

PFA : search-ui default demo-examples

Topic		Replies	Views
Securing search-ui and embedding in larger a larger non-React app Elastic Search elastic-app-search	8	1017	August 29, 2021
Search-ui - can we use signed keys without building a custom connector? Elastic Search elastic-app-search	2	453	February 28, 2022
Securing search endpoint Elastic Search elastic-app-search	5	476	December 8, 2021
Access AppSearch APIs without authentication Elastic Search	3	319	November 4, 2022
Retrieve document by id via public key Elastic Search elastic-app-search	2	363	December 29, 2023

Security - how to avoid exposing app search keys (searchKey,host identifier,engineName) in search ui

Related topics