Server security options
The following security options are available:
If this option is set to
trueand authentication is enabled, non-admin userswill be denied access to the following REST APIs:
The default value for this option is
arangod has several options that allow you to make your installation moresecure when it comes to running application code in it. Below you will find an overview of the relevant options.
The set theory for these lists works as follow:
- Only a blacklist is specified:Everything is allowed except a set of items matching the blacklist.
- Only a whitelist is specified:Everything is disallowed except the set of items matching the whitelist.
- Both whitelist and blacklist are specified:Everything is disallowed except the set of items matching the whitelist.From this whitelisted set, subsets can be forbidden again using the blacklist.
Values for blacklist and whitelist options need to be specified as ECMAScript regular expressions.Each option can be used multiple times. When specifying more than one pattern, these patterns will be combined with a logical or to the actual patternArangoDB will use.
These patterns and how they are applied can be observed by enabling
—log.level SECURITY=debug in the
arangosh log output.
The security option to observe the behavior of the pattern matching most easilyis the masquerading of the startup options:
These sets will resolve internally to the following regular expressions:
… and an exception will be thrown when trying to access items that are maskedin the same way as if they weren’t there in first place.
For example, when using the following startup options
/etc/issue will be allowed to accessed and all files in the directories
—temp.pathoption at startup. If the option is not specified, ArangoDB will automatically use a subdirectory of the system’s temporary directory.
- http:// => tcp://
- https:// => ssl://
- no protocol will match http and https.
Filtering is done on the protocol, hostname / IP address, and the port.
arangodb.org will match:
ssl://arangodb.org will match:
ssl://arangodb.org:443 will match:
tcp://arangodb.org will match:
The following options are available for blacklisting and whitelisting accessto dedicated functionality for application code:
srv://.Note that for HTTP/SSL-based endpoints the port number will be included too,and that the endpoint can be specified either as an IP address or host namefrom application code.
true, this option enables the
internalmodule. The default value is .
internalmodule, which may leak information about the environment:
logLevel()The default value is
The following options are available for controlling the installation of Foxx applicationsin an ArangoDB server:
—foxx.store:If set to , this option disables the Foxx app store in ArangoDB’s web interface,which will also prevent ArangoDB and its web interface from making calls to the main Foxx application Github repository at.The default value is