-
Notifications
You must be signed in to change notification settings - Fork 480
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOC] document http.detailed_errors.enabled
config option & related security considerations
#3084
Comments
We'll add this as a best practice in #5782. |
@hdhalter this seems to already have been fixed in the PRs lister above, There is no further information leak, below is the current state.
"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"transient setting [http.detailed_errors.enabled], not dynamically updateable"}],"type":"illegal_argument_exception","reason":"transient setting [http.detailed_errors.enabled], not dynamically updateable"},"status":400
"error":"RemoteTransportException[[opensearch-node2][172.31.0.2:9300][cluster:admin/settings/update]]","status":400 |
@AntonEliatra - The suggestion is to describe the setting in the documentation. Perhaps we can add to #7113? |
…ect#3084 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
…ect#3084 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
* adding http.detailed_error.enabled configuration docs #3084 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding http.detailed_error.enabled configuration docs #3084 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --------- Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
* adding http.detailed_error.enabled configuration docs #3084 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding http.detailed_error.enabled configuration docs #3084 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --------- Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> (cherry picked from commit b441e00) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
What do you want to do?
Tell us about your request.
the config option
http.detailed_errors.enabled
can be used to control whether REST APIs return detailed error messages or just generic failures.this should be documented, not just as a "there's this parameter" but also as a general security guideline (some security reviewers consider it prudent to reduce the amount of information returned by production systems in case of errors to prevent explorative behaviour of attackers).
IMHO it'd anyway be good to have a general "security best practices" chapter in the documentation, this would then fit in nicely there.
What other resources are available?
The text was updated successfully, but these errors were encountered: