Any Last Minute Security Details Before Going LIVE

18 views
Skip to first unread message

Sherry Lake

unread,
Mar 9, 2016, 9:44:32 AM3/9/16
to Dataverse Users Community
We are going "semi-live" (low key) on the 15th and want to make sure we have dealt with all security concerns.

The only thing I found is the note about running the post-install-api-block script. Anything else?

Thanks.
Sherry Lake

Philip Durbin

unread,
Mar 9, 2016, 10:01:36 AM3/9/16
to dataverse...@googlegroups.com
The fix for https://github.com/IQSS/dataverse/issues/2838 hasn't made it into a release yet (I think it will make it into Dataverse 4.4) so setting the ":AllowSignUp" database setting to "no" or "false" doesn't work. This is warned about at http://guides.dataverse.org/en/4.2.4/installation/config.html#allowsignup . If you're planning on keeping ":AllowSignUp" as "yes" (the default), then there is no security problem.

In addition to blocking API endpoints (very important!!) http://guides.dataverse.org/en/4.2.4/installation/config.html#securing-your-installation also suggests enforcing HTTPS.

In some docs I'm working on at http://guides.dataverse.org/en/2939-shib/installation/shibboleth.html#auth-modes-local-vs-remote-vs-both I mention the "BuiltinUsers.KEY" database setting. This string is necessary to create local users via API. You could delete or scramble it so it doesn't have the default value. Ensuring that "builtin-users" is in your list of blocked endpoints is even more secure.

I hope this helps. Let us know when you'd like your installation to be on the map at http://dataverse.org ! :)

Phil

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To post to this group, send email to dataverse...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dataverse-community/26c738de-278d-42bd-849e-51bda1c1d345%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Reply all
Reply to author
Forward
0 new messages