This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Securing exposed API endpoint for triggered task

Go to solution
dwhansen-cbg
Contributor

โ€Ž03-11-2020 11:26 AM

It is my understanding that when we create a Triggered Task for a pipeline there are only two ways of securing the API endpoint, 1) the bearer token and 2) basic authentication in the endpoint URL as a parameter.

I know others that use SnapLogic that have had their triggered tasks hacked (via figuring out the bearer token) and pipelines have been kicked off by people that werenโ€™t authorized. My question is this: how can we add additional security to the Triggered Task API endpoint?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
christwr
Contributor III

โ€Ž03-11-2020 12:41 PM

Like who? I assume folks who didnโ€™t keep the bearer token private, or changed it to something badโ€ฆ

A few ways to add โ€œextraโ€ security to triggered tasks:

  • IP whitelisting (Access Control)
  • Front the triggered task with an API Gateway (that handles the auth switching)
  • Add some other checker logic to your triggered pipeline (JWT, etc.)

View solution in original post

2 REPLIES 2

Go to solution
christwr
Contributor III

โ€Ž03-11-2020 12:41 PM

Like who? I assume folks who didnโ€™t keep the bearer token private, or changed it to something badโ€ฆ

A few ways to add โ€œextraโ€ security to triggered tasks:

  • IP whitelisting (Access Control)
  • Front the triggered task with an API Gateway (that handles the auth switching)
  • Add some other checker logic to your triggered pipeline (JWT, etc.)

Go to solution
dwhansen-cbg
Contributor
In response to christwr

โ€Ž03-11-2020 12:58 PM

I wonโ€™t say who it happened to, but I know the company he works for has had an issue in the past and I would like to avoid it at my company.

@christwr thank you for your suggestions! These are all great suggestions and we will probably employ IP whitelisting and an API gateway to lock things down a little more. Thanks!

0 Kudos