Skip to content
This repository has been archived by the owner on Apr 16, 2020. It is now read-only.

Daemon security #23

Open
jbenet opened this issue Sep 14, 2015 · 5 comments
Open

Daemon security #23

jbenet opened this issue Sep 14, 2015 · 5 comments

Comments

@jbenet
Copy link
Collaborator

jbenet commented Sep 14, 2015

the readme says:

Make sure your ipfs daemon is running with API_ORIGIN set to '*', and using --unrestricted-api:

this is really, really bad. users should not be advised to do this. if developers are asked to do this, note the dangers.
@krl
Copy link
Collaborator

krl commented Sep 14, 2015

Fair point, will add warning bells

@krl
Copy link
Collaborator

krl commented Sep 14, 2015

@jbenet Do we have any text i could link that talk about why this is dangerous?

@krl
Copy link
Collaborator

krl commented Sep 14, 2015

#27

@jbenet
Copy link
Collaborator Author

jbenet commented Sep 14, 2015

not yet

@kpcyrd
Copy link

kpcyrd commented Sep 18, 2015

@krl I'm not yet that deep into how the ipfs admin interface works (so this could be wrong), but by running

ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["*"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["PUT", "GET", "POST"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Credentials '["true"]'

you're effectively disabling the Same Origin Policy and allow any website you visit to control your local ipfs daemon.

(If found this snippet by running ipfs daemon --help looking for docs what exactly --unrestricted-api does, maybe there should be a warning, too)

If there's interest I could investigate further and write up something for the docs repo.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@krl @jbenet @kpcyrd