You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- [ ] Set up an IP-whitelisted API key for cloud.gov only, set up the CMS to use it in stage to test. Test by: Users shouldn’t be able to use that API key, but app should - [ ] Check on API umbrella seemingly removing the / in the IP ranges (52.222.122.97/32 becomes 52.222.122.97 - is it a display issue? - [ ] Check on where FEC_WEB_API_KEY and FEC_WEB_API_KEY_PUBLIC are used - [ ] Look at unlimited API key configuration and API backend configuration - [ ] Do we really need everyone to access the POST/download URL? We could restrict this role to just the CMS key.
We discovered that client-side (browser) API calls won't have the cloud.gov IP address, and it seems that the only way for that to really work would be to make the export call a server-side call.
Plan of attack:
Investigate making the “Export” API call a server-side (Python) call so that the source IP is cloud.gov.
The text was updated successfully, but these errors were encountered:
We discovered that client-side (browser) API calls won't have the cloud.gov IP address, and it seems that the only way for that to really work would be to make the export call a server-side call.
Plan of attack:
Investigate making the “Export” API call a server-side (Python) call so that the source IP is cloud.gov.
On the API side, restrict /downloads/ to cloud.gov IP’s. See this PR (https://github.com/fecgov/openFEC/pull/3625/files) for application-level blocking, but we’d want to just whitelist cloud.gov for the /downloads/ endpoint.
lbeaufort
changed the title
API key configuration changes
Make downloads only available to CMS
Mar 14, 2019
- [ ] Set up an IP-whitelisted API key for cloud.gov only, set up the CMS to use it instage
to test. Test by: Users shouldn’t be able to use that API key, but app should- [ ] Check on API umbrella seemingly removing the / in the IP ranges (52.222.122.97/32
becomes52.222.122.97
- is it a display issue?- [ ] Check on whereFEC_WEB_API_KEY
andFEC_WEB_API_KEY_PUBLIC
are used- [ ] Look at unlimited API key configuration and API backend configuration- [ ] Do we really need everyone to access the POST/download URL? We could restrict this role to just the CMS key.We discovered that client-side (browser) API calls won't have the cloud.gov IP address, and it seems that the only way for that to really work would be to make the export call a server-side call.
Plan of attack:
The text was updated successfully, but these errors were encountered: