However, for security reasons /Umbraco/ is blocked in the production, so this API is not accessible in production.
Is there any way I can change this path to use anything other than /Umbraco/Api?
Since it is recommended as a good security practice to block /umbraco/ in production, I wonder why it was decided it would be a good idea to use /umbraco/api for this naming pattern.
How are you blocking /umbraco? If it is by IP, and you open it up by IP, and you are able to log in via the Umbraco backend, you should be able to access the API URL.
If you are calling that API from the server side, you would want to unblock /umbraco from the IP of the production server.
It is blocked in IIS, nobody is supposed to be able to login via de Umbraco backend in production, all the content changes are made in staging and then the database is deployed to production as is. Having Umbraco visible on the site was detected as vulnerability by the security team and since nobody is supposed to make any content changes in production, it was decided to completely block it.
The call to the API is made at the client side, in an AJAX call, so white-listing is not an option.
Umbraco API (WebAPI) access issue
Hi all,
I implemented an Umbraco API controller on the following path:
/Umbraco/Api/{Controller}/{Action}?{param1}={value1}&{param2}={value2}
However, for security reasons /Umbraco/ is blocked in the production, so this API is not accessible in production.
Is there any way I can change this path to use anything other than /Umbraco/Api?
Since it is recommended as a good security practice to block /umbraco/ in production, I wonder why it was decided it would be a good idea to use /umbraco/api for this naming pattern.
Thanks!
How are you blocking /umbraco? If it is by IP, and you open it up by IP, and you are able to log in via the Umbraco backend, you should be able to access the API URL.
If you are calling that API from the server side, you would want to unblock /umbraco from the IP of the production server.
Thanks for taking a look.
It is blocked in IIS, nobody is supposed to be able to login via de Umbraco backend in production, all the content changes are made in staging and then the database is deployed to production as is. Having Umbraco visible on the site was detected as vulnerability by the security team and since nobody is supposed to make any content changes in production, it was decided to completely block it.
The call to the API is made at the client side, in an AJAX call, so white-listing is not an option.
is working on a reply...