Skip to main content
Skip table of contents

Security

The consumer-driven APIs used in MDS enables clients to specify the criteria by which they want to filter, project or sort, and MDS executes this on their behalf. However, to prevent malicious users from taking advantage of this to attack the platform, due to the level of damage that could potentially be caused, a number of measures have been enabled to reduce the attack.

The MDS supports the following measures to protect the stability of the platform:

  • White listing query filters
  • Mandating use of fields as a query parameter
  • Enforcing a maximum page size

API White list

Delivery APIs

A White list is provided within MDS to narrow the allowed queries to only those included within that White list. Queries that do not appear within the White list are rejected before reaching the database level where they could be potentially damaging. For configuration details, see White List. Global use of the whitelist can be enabled and/or disabled through configuration of the appconfig.ini property ClientInterfaceConfig.enforceWhitelist.

Mandatory Fields

Delivery APIs

Mandated fields can be enabled and/or disabled globally through the appconfig.ini property ClientInterfaceConfig.enforceFields. Once enabled, no request can be made without providing a non-empty fields query parameter. Due to their simpler use, the following APIs are exempt from this restriction:

  • /btv/version
  • /vod/version
  • /ping
  • /versions

Maximum page size

Delivery and SOLR APIs

Maximum page size limiting can be enabled and/or disabled globally through configuration of the appconfig.ini property ClientInterfaceConfig.enforceLimit. Maximum page sizes can be configured on a per API basis through the whitelist.yaml configuration file / puppet property.

Each API definition has a maxReturn property which denotes the upper limit for a requested page size. Any request above this size  will be rejected before reaching the database. However due to their simpler use, the following APIs are exempt from this restriction :

  • /btv/version
  • /vod/version
  • /ping
  • /versions

Back-end access

The SNI Router gateway differentiates end-user requests from back-end service requests.

To simplify development and maintenance of back-end features, MDS only applies security to requests originating outside of the platform (the likeliest source for malicious requests). This is achieved by the addition of a header to those requests travelling via the SNI Router.

sni-external-request: true
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close