The /config routes should not be publicly accessible because they allow a user to create and modify ScenarioGroups and view and change the ownership of scenarios.
Ryan has proposed the use of IIS request filtering, using hidden segments but that does not seem to allow for any exceptions, such as a configured "whitelist" of clients who are allowed to execute the commands.
The problem could also be solved with proper authentication / authorization.
The
/configroutes should not be publicly accessible because they allow a user to create and modify ScenarioGroups and view and change the ownership of scenarios.Ryan has proposed the use of IIS request filtering, using hidden segments but that does not seem to allow for any exceptions, such as a configured "whitelist" of clients who are allowed to execute the commands.
The problem could also be solved with proper authentication / authorization.
More thoughts needed