Security¶
Aspected provides basic security features to protect your data and control access to the server.
HTTPS / TLS¶
Aspected supports HTTPS with TLS certificates. To enable it, provide paths to your certificate and private key files ( PEM format):
server:
https:
enabled: true
certificatePath: /path/to/cert.pem
privateKeyPath: /path/to/key.pem
Or via environment variables:
export ASPECTED_SERVER_HTTPS_ENABLED=true
export ASPECTED_SERVER_HTTPS_CERTIFICATE_PATH=/path/to/cert.pem
export ASPECTED_SERVER_HTTPS_PRIVATE_KEY_PATH=/path/to/key.pem
API Token Authentication¶
You can secure your Aspected instance by setting a static API token. When configured, every request must include the
token in the Authorization header:
To enable token authentication, set the server.staticApiToken configuration option:
Or via an environment variable:
Requests without a valid token will be rejected.
Enable HTTPS when using an API token
If you have set a staticApiToken and are exposing Aspected directly to the internet, you must enable HTTPS. Without TLS, the API token is sent in plain text over the network and can be easily intercepted by an attacker using packet sniffing or a man-in-the-middle attack.
Always use HTTPS in production environments where the server is reachable from untrusted networks.
CORS¶
Default CORS behavior is same-origin only. To enable CORS set the server.corsEnabled configuration option:
Or via an environment variable:
Access Control¶
Aspected also provides document-level access control through access keys. This allows you to restrict which documents are visible during search queries based on the caller's access permissions.
For full details on how access keys and access filters work, see the Access Control page.