Customize the application-configuration endpoint [Security] #9877

NH-Support created 4 hours ago

Hi,

I see that the endpoint api/abp/application-configuration is retrieving a punch of data even though the user is not authenticated

I do understand that it's meant to be public, but it's exposing unnecessary data like (Password policy, Lockout Policy, SignIn.RequireConfirmedEmail, multiTenancy status, AuditLogging.Enable, LanguageManagement.Enable, Account.EnableLdapLogin, Identity.EnableOAuthLogin )

is there a way to secure those ? maybe disabling them or making them available after authentication ? is this doable and is it gonna affect/breaks the front end application ?

i checked this article on how to extend them but can't seem to find a link in the docs about customizing that endpoint

Thanks

AI-Bot created 4 hours ago

Support Team ABP Agent

To customize or secure the api/abp/application-configuration endpoint in ABP Framework, here are the key points:

The application-configuration endpoint is intentionally public by default, as it provides essential configuration data (like localization, settings, multi-tenancy info) required for the frontend to initialize and function properly, even before user authentication.
Some sensitive settings (e.g., password policy, lockout policy, etc.) are included for the frontend to enforce or display relevant UI/UX, but you may want to restrict or hide them for security reasons.

How to Secure or Customize the Endpoint

Override the Controller or AppService:
- You can override the AbpApplicationConfigurationController or the underlying AbpApplicationConfigurationAppService to filter out or secure specific data.
- Add the [Authorize] attribute to require authentication, or selectively remove properties from the response.
Example (override controller and add authorization):

[Authorize] // Require authentication
   public class MyApplicationConfigurationController : AbpApplicationConfigurationController
   {
       public MyApplicationConfigurationController(
           IAbpApplicationConfigurationAppService appService
       ) : base(appService)
       {
       }

       // Optionally override methods to filter response data
   }

Potential Impact:
- Securing this endpoint (making it require authentication) or removing certain data may break the frontend, especially if your UI expects this data before login (e.g., for language selection, UI features, or login policies).
- If you remove or restrict data, you must also update your frontend to handle missing configuration gracefully.
Best Practice:
- If you only want to hide specific settings, override the service and filter out sensitive properties from the response, rather than securing the whole endpoint.
- If you secure the endpoint, ensure your frontend is updated to authenticate before calling it, or to handle missing data.

References and Further Reading

This approach is supported by ABP's extensibility model, but you must carefully test your frontend to avoid breaking user experience.

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

maliming created 4 hours ago

Support Team Fullstack Developer

Both MVC and Angular need to make anonymous/authentication requests to this API. The content it returns is all public, and doesn't contain any secrets.

Thanks.

NH-Support created 4 hours ago

I'm not saying it's revealing secret and it doesn't have to reveal a secret to become a "Security Issue"

I'm saying this increase the attack surface on the application

is there a way to minimize that exposure ? an anonymous doesn't need to know my lockout policy nor my password policy and what it looks like

maliming created 4 hours ago

Support Team Fullstack Developer

What is your solution structure? Can you share a screenshot?

UI type: ? Tiered: ?

Thanks.

NH-Support created 3 hours ago

ABP Framework v 9.0.1 Angular Tiered Separated Auth

Also We have a Microservice project with angular app

maliming created 2 hours ago

Support Team Fullstack Developer

Angular needs to call this API endpoint to initialize when the user is not logged in. You can't remove it.

https://abp.io/docs/latest/framework/api-development/standard-apis/configuration

This is by design.

Thanks.

NH-Support created an hour ago

[maliming] said: hi

Angular needs to call this API endpoint to initialize when the user is not logged in. You can't remove it.

https://abp.io/docs/latest/framework/api-development/standard-apis/configuration

This is by design.

Thanks.

the link you shared contains a way to extend the endpoint and append more data again we are not trying to remove it we need to reduce some of the data in the response

how and where to override this ?

maliming created an hour ago

Support Team Fullstack Developer

we need to reduce some of the data in the response

You can replace the IAbpApplicationConfigurationAppService to reduce data from DTO if the current user is anonymous.

https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/ApplicationConfigurations/AbpApplicationConfigurationAppService.cs#L27

Thanks.

Question details

ABP Version (vX.X.X)

Database Management System

Tiered (MVC) or Auth Server Separated (Angular)

Learn More, Pay Less

33% OFF
All Trainings!

Get Your Deal

The Official Guide

Mastering
ABP Framework

Learn More

Framework

Tools

Startup Templates

UI Themes

Mobile

Modules

8 Answer(s)