Version: 10.2.0
Hi there We were recently Pen Tested. They failed us on this:
"When an unauthenticated user browses to https://xxxx.xxx.net/, a request is automatically triggered to https://xxxx.xxx.net/AbpUserConfiguration/GetAll and contains information about the application"
Is there a way for us to hide/block access to this endpoint AbpUserConfiguration/GetAll as it contains alot of data useful in the wrong hands.
Thank you
1 Answer(s)
-
0
Hi @KieranIrl
If there is no authenticated user, this endpoint returns some public information. But, if you still want to hide some parts of it, you can create your own implementation of https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp.Web.Common/Web/Configuration/AbpUserConfigurationBuilder.cs and hide some data. Then, you also need to create a similar controller to https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp.AspNetCore/AspNetCore/Mvc/Controllers/AbpUserConfigurationController.cs and use your custom implementation in it.
After all, call your new controller from the client side. For example,
https://xxxx.xxx.net/MyAbpUserConfiguration/GetAll
