Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document how to operate a public XHGui instance #308

Open
Krinkle opened this issue Aug 20, 2020 · 1 comment
Open

Document how to operate a public XHGui instance #308

Krinkle opened this issue Aug 20, 2020 · 1 comment

Comments

@Krinkle
Copy link
Contributor

Krinkle commented Aug 20, 2020

The /import and /delete endpoints are something you generally don't want to leave exposed to the Internet. At Wikimedia, we've turned these off at the web server layer hoping that it can't be bypassed.

That suffices for now, but I'd like to either integrate this into the software, or embrace it as the recommended practice and advertise/document it here so that other people can learn from it, and also so that it will be taken into account when making changes in the future.

@glensc
Copy link
Contributor

glensc commented Aug 21, 2020

I think as first step these endpoints should be disabled by default and enabled only when someone explicitly enables them in config or at least restricted to 127.0.0.1 address by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants