allburov
commented
1 year ago Hi! Right now you can hide it under password https://waha.devlike.pro/docs/how-to/security/
I like the idea, we'll work in that way too!
Closed gr8tushar closed 9 months ago
allburov
commented
1 year ago Hi! Right now you can hide it under password https://waha.devlike.pro/docs/how-to/security/
I like the idea, we'll work in that way too!
webair-studio
commented
9 months ago @allburov здравствуйте, извините, что на русском, но судя по никнейму вы знаете русский )
Я установил WAHA Core, но беспокоюсь, что любой человек может отправить запрос на мой API. Ботнеты сканирующие порты серверов могут найти порт 3000 и разослать всем спам сообщение.
Мои познания в IPTABLES небольшие, я попробовал
DROP tcp -- anywhere anywhere tcp dpt:3000
Но порт всё равно открыт для всех...
Собираюсь купить Plus, как только он мне принесет финансовую пользу.
allburov
commented
9 months ago @webair-studio hi!
WAHA Plus provides all security options available - API key and password for swagger https://waha.devlike.pro/docs/how-to/security/
Even if you could hide the swagger - it wouldn't help your with possible security problems, API hosts on the same port, http://localhost:3000/api
With WAHA Core I can suggest you to run the WAHA container inside local network and don't expose the port or figure out how to protect it with a network firewall.
allburov
commented
9 months ago Hi!
In 2023.12.1 release you'll be able to completely disable (hide) swagger documentation from the project (available in WAHA Plus only)
https://waha.devlike.pro/docs/how-to/security/#disable-swagger
You also can hide swagger completely by setting WHATSAPP_SWAGGER_ENABLED=false environment variable.
👉 Disabling Swagger does not protect the API, please use API security as well
Hi, When deploying on production, I would want to disable the swagger module all together. Can I disable it based on some configuration?
Thanks, Tushar