Community

Token Restriction in URL

351
1
06-10-2023 11:55 PM
Status: Open
ahmedbadr2
by
New Contributor II

We have security concern that generated token can be used by another user on different machine which all normal access on portal resources by capture the token during internal request within the portal, is there way to hide token or to make portal internal request in post

1 Comment
SimonSchütte_ct
by
‎07-17-2023 03:24 AM

If you are referring to the personal token, that is generated when you access ressources while logged in to Portal, enable HTTPS. This should prevent users sniffing on the webtraffic to read out the tokens.
Of course, tokens should in now case be shared and should be treated like passwords.
Configure HTTPS—Portal for ArcGIS | Documentation for ArcGIS Enterprise
Enforce strict HTTPS communication—Portal for ArcGIS | Documentation for ArcGIS Enterprise

If you are referring to generated access tokens, you can limit token access to an specific IP Adress + expiration time

SimonSchtte_ct_0-1689589272434.png
Specify the maximum token expiration time—Portal for ArcGIS | Documentation for ArcGIS Enterprise