Security

REST API Access keys

The access keys for the REST API are necessary for both reading and writing data to it. Every json structure (see table in section REST API) has its own pair of access keys (for reading and writing). These keys are stored in another json structure "apikeys", which is also accessible only with the right access keys.

Warning

Because the keys for the "apikeys" structure itself are also stored in it, the read key of this structure is sufficient enough to gain read and write access to all of the REST API data. For this reason it is recommended to access the "apikeys" structure only by SSI calls (see section Server Side Include (SSI)) and only partially (e.g. api/v1/apikeys/keys/6 for the access to the "data" structure), otherwise it could result in security breaches.

HTTP Authentication

In the root directory of the homepage, there are three directories "ro", "rw" and "su", which are secured by HTTP authentication. Files in these directories can be accessed only with the right username and password combination. These usernames and passwords are also stored in the json structures:

• /api/v1/httpsu structure for user "SU"
• /api/v1/httprw structure for user "RW"
• /api/v1/httpro structure for user "RO"

Every user has access to it's corresponding folder.

• User "SU" has access to the /su folder,
• User "RW" has access to the /rw folder
• and User "RO" has access to the /ro folder.

There is a hierarchy between the users:

1. SU - Super User -> has access to every folder
2. RW - Read Write -> has access rights to his own and "RO" user's folder
3. RO - Read Only -> has only access to his own files.

All other files outside of these three directories are not protected and can be accessed by anyone.

HTTPS / TLS

Not implemented yet.

Installation/Deployment

The development and installation of the homepage onto the eNetMini device can be done using the two programs "eNetMiniBootCon" and "eNetMiniHomepageCon". The eNetMiniHomepageCon program creates a binary file from given source files for the device. The eNetMiniBootCon program allows to install them over network onto the device. Detailed descriptions/documentations and a Download link for these programs can be found here: http://www.enetmini.de/downloads.html

short installation guide:

1. Create your own hompage.
2. Compile the source files using eNetMiniHomepageCon program.
3. Start the device and connect it via network with your computer.
4. Start the eNetMiniBootCon program with the right configuration.
5. Start the FHU (Force Homepage Update) with the Computers IP Address and the name of the binary file.
   • on the default homepage under "System" -> "Update"
   • or with the fhu CGI (see Common Gateway Interface (CGI))
   • if the fhu CGI is not present on the webpage, a full system update has to be made with the FSU (Force System Update) CGI (see Common Gateway Interface (CGI)).
     

Note

In order to improve the performance and responsiveness of the homepage, the eNetMini device uses the HTTP protocol's caching mechanism. For requests of shtml (HTML + SSI) and CGI files, as well as requests to the REST API, the device sets the "cache-control" flag to "no-store", which forbids the browser to save and reuse these files, since they could contain real time data. For everything else (JavaScript, CSS, Images, etc.) the device sets the flag to "max-age=3600", which allows the browser to cache the file for one hour without requesting it again.
It is recommended to turn the browser's caching off during the development and testing of a new homepage, otherwise the browser may use old and invalid files.