Note: This is not a comprehensive security tutorial for RAD Server merely a tech tip.
There are a number of sections in the emsserver.ini file which can help you secure your RAD Server for production which include Server.APICrossDomain, Console.Login, Server.Authorization. You can limit cross site scripting by changing the CrossDomain setting in Server.APICrossDomain to only allow your domains. You can customize the UserName and Password of the Console.Login section so that only you will be able to log into the console. Finally, you can limit the access to various endpoints on your RAD Server by customizing the settings in the Server.Authorization section. Here is a sample of settings you could add to limit the access to the Users resource:
Users={"public": false}
Users.LoginUser={"public": true}
Users.GetUserGroups={"users": [“*”]}
Users.GetUsers={"groups": [“Admin”]}
Users.GetUserFields={"groups": [“Admin”]}
Users.GetUser={"groups": [“Admin”]}
Users.GetGroup={"groups": [“Admin”]}
Users.UpdateUser={"groups": [“Admin”]}
Users.AddUser={"groups": [“Admin”]}
If the settings are too restrictive you may receive a 401 response from the server in which case you would need to modify your settings to allow that specific API call. Other sections you may want to review for adding more security to your RAD Server deployment are Server.Keys and Server.Connection.Dev where you can add a server wide master secret, app secret, and/or HTTPS.
Head over and check out the full documentation for the RAD Server Authentication section.
This text is an excerpt from the Field Service Template FAQ documentation. Find out more about the Field Service Template in the video: