Webservice API Security
This page assumes you are familiar with Murano webservice API if not, follow the Webservice quickstart.
This page discuss web security of your Murano-hosted solution provided through the Webservice Micro-Service. All request to Murano requires HTTPS out of the box. However Murano also support additional standard security mechanism to ensure your users are safe.
In General once your application is ready. A good practice is to test your setup with a Website security benchmark tool.
Table of Contents
- Rate limit
- CSP - Content Security Policy
- CORS - Cross Origin Request Sharing
There are various methods to authenticate users and Murano provides native support to block un-authorized requests at the edge of your application.
In Webservice Service configuration parameters you can defined the security scheme enabled in your API. Murano currently supports the following schemes:
- Basic - Basic authentication in
Authorizationheader with format "Basic " + base64Encode(username + ":" + password) . More info
- Bearer - Secret must be passed in
Authorizationheader with the "Bearer" prefix.
- apiKey - Define the 'secret' (eg. token) to be passed in url, header or cookie. Default to
Once defined, you can set in the security list which scheme to enable by default on all endpoints of the API. You can also define which security scheme to use
per endpoints in the endpoint configuration.
All requests not providing the requested security scheme will be rejected with a 401 status code.
Once enabled in your API you can test the authentication from the Auto-generated API documentation page by pasting your token or
username:password in the left text box.
You also can define a rate limit to your API to avoid end-user or attackers to cause extra cost to your application. For this purpose set the Webservice Service 'ratelimit' configuration parameters to the desired per minute rate.
The rate limit utilize the defined authentication scheme which means the rate limit applies per
secret (eg. token). If no security is defined for an endpoint, the rate limits will be applied by client IP-Address.
Rate limit on Websocket
Websocket limits the message rate to 5 messages per second. If a client sends more message, the socket will be temporarily paused. No message will be lost, however if the client keeps producing a higher message rate the messages will accumulate on the client buffer, growing its memory usage.
Content Security Policy
By Default Murano enable security headers for all solutions to you end-users safe and we set follow security headers automatically.
Header name - value
- cache-control - no-cache, must-revalidate, proxy-revalidate
- content-security-policy - frame-ancestors 'self' ; img-src data: blob: ; media-src data: blob: ; default-src 'unsafe-inline' 'self' data: blob: gap: wss: ws: s3.us-west-2.amazonaws.com murano-content-service-prod.s3.us-west-2.amazonaws.com
- pragma - no-cache
- x-content-type-options - nosniff
- x-frame-options - sameorigin
- x-xss-protection - 1; mode=block
However there is situations where you need to option your API for 3rd party integration purpose. For that purpose, you can overload those headers in the Webservice Service 'headers' configuration parameters. Just add the matching header name and value to replace the default. Those headers will apply to every endpoints in the API.
Cross Origin Request Sharing
Murano can be used with mobile and existing frontend applications provided the Cross Origin Request Sharing (CORS) settings on your application are configured properly. After modifying your Project's CORS settings, you can request your data through Murano by interacting with your API directly from your application. If you are integrating Murano into a backend application, configuring CORS is not required and you can interact with your API directly.
By default every modern web-browsers will prevent a website to access another domain than the one it originates from.
Example: If a website xxx.com tries to call your Murano hosted API. The user web-browser will prevent the access and the following error can be seen in the web-browser logs.
CORS is a way to enable such behavior with enough granularity to keep your end-users sage. Learn more about CORS..
In Murano CORS is by default deactivated. To configure it, use the Webservice Service 'CORS' configuration parameters.
So to allow a 3rd party website to access your API, add its domain to the
You can also change the default
Allowed headers & Methods to set custom restrictions.