Why is this endpoint the only one that’s public? It asks for a token, but when queried, it’s accessible:
Hello,
GET /settings.json unauthenticated contains information about the instrance configuration that can be used by the clients. This include things such as what is the prefered locale, where is the privacy policy, is SSO enabled, is public registration open, etc.
This endpoint contains additional information when authenticated, such as which other plugins are enabled, e.g. what are the other server capabilities.
Cheers,
Hello,
Thank you for the explanation, that part is clear now.
Just to clarify my original question: I wasn’t asking what the endpoint is used for, but rather whether it is expected and considered normal/safe that /settings.json is publicly accessible (unauthenticated) on an internet-exposed Passbolt instance.
Since the instance is reachable from the internet, I wanted to confirm that exposing this endpoint by design is not a misconfiguration or a security concern, but an intentional behavior required for clients to function.
So, to summarize my doubt:
-
Is it normal and expected that
/settings.jsonis publicly accessible? -
Is this exposure considered safe from a security standpoint?
Thanks in advance for the clarification.
Best regards,
Is this exposure considered safe from a security standpoint?
Yes as it only exposes the minimal number of information that is required for the client to operate (like language preferences), and by default all instances have the same config. That’s why it contains different types of information when you are logged in or not, since the other information is not needed unless logged in.