You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by "Jason Gerlowski (Jira)" <ji...@apache.org> on 2019/12/05 00:26:00 UTC

[jira] [Created] (SOLR-14014) Allow Solr to start with Admin UI disabled

Jason Gerlowski created SOLR-14014:
--------------------------------------

             Summary: Allow Solr to start with Admin UI disabled
                 Key: SOLR-14014
                 URL: https://issues.apache.org/jira/browse/SOLR-14014
             Project: Solr
          Issue Type: Improvement
      Security Level: Public (Default Security Level. Issues are Public)
          Components: Admin UI, security
    Affects Versions: 8.3.1, master (9.0)
            Reporter: Jason Gerlowski


Currently Solr always runs the Admin UI.  With the history of XSS issues and other security concerns that have been found in the Admin UI, Solr should offer a mode where the Admin UI is disabled.  Maybe, and this is a topic that'll need some serious discussion, this should even be the default when Solr starts.

NOTE: Disabling the Admin UI removes XSS and other attack vectors. But even with the Admin UI disabled, Solr will still be inherently unsafe without firewall protection on a public network.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org