.. _integrator_security: Security ======== Enable / Disable WMS GetCapability ---------------------------------- Set ``hide_capabilities`` to ``true`` in your ``vars_.yaml`` to disable the WMS GetCapability when accessing the Mapserver proxy (mapserverproxy). Default: ``false`` Force authentication when accessing the Mapserver proxy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If your WMS contains private layers and you wish to force a client to authenticate in order to always obtain all layers (including private layers), you can force authentication by adding the parameter ``authentication_required`` to the WMS URL. This setting may be necessary for the good operation of some clients such as ArcMap. For example, if your WMS is accessible as .. code:: html https:////wsgi/mapserv_proxy then you can use the following URL to force authentication: .. code:: html https:////wsgi/mapserv_proxy?authentication_required=true Enable / Disable the admin interface ------------------------------------ To disable the admin interface, set ``enable_admin_interface`` to ``false`` in your ``vars_.yaml`` file. Default: ``true`` Enable / Disable the OGC proxy ------------------------------ To enable the OGC proxy, set ``ogcproxy_enable`` to ``true`` in your ``vars_.yaml`` file. Default: ``false`` And adding the ``papyrus_ogcproxy`` package in the ``install_requires`` of the ``setup.py`` file. In the ``viewer.js`` files you should also add the ``OpenLayers.ProxyHost`` configuration: .. code:: javascript OpenLayers.ProxyHost = "${request.route_url('ogcproxy') | n}?url="; Working without this proxy implies that all external WMS services (from the database and from the WMS browser) should have the CORS headers (`enable-cors.org `_). Access to services by external servers -------------------------------------- By default, only localhost can access c2c's services. To permit access to a specific service by an external server, you must set headers CORS (Access-Control-Allow-Origin) in your ``vars_.yaml`` file. Add or modify the structure like that: .. code:: yaml headers: : access_control_allow_origin: ["", "", ...] access_control_max_age: 3600 A ``"*"`` can be included in ``access_control_allow_origin`` to allow everybody to access, but no credentials will be passed in the case. Available services are: Entry: - index - config - api Services: - themes - login - mapserver - print - profile - raster - layers - login - error Authorized referers ------------------- To mitigate `CSRF `_ attacks, the server validates the referer against a list of authorized referers. By default, only the pages coming from the server are allowed. You can change that list by adding an ``authorized_referers`` list in your ``vars_.yaml`` file. This solution is not the most secure (some people have browser extensions that reset the referer), but that is the easiest to implement with all our different JS frameworks.