Hide rest endpoint that is currently exposed for anonymous Survey123 form

ECarson

Hi,

Is it possible to not have the rest endpoint visible that an Anonymous Suvery123 form utilizes?

Is there a way to only allow the Survey123 anonymous website to create the handshake with portal so the rest endpoint isn't visible?

What security measures has anyone else implemented for anonymous Survey123 sites that might be useful?

Regards,

Elliott

jcarlson

As far as I know, there's not a good way to do this. Public is public, and there's not a way to prevent users from just watching their network traffic to see where their survey responses are going and copy the URL.

What is the security concern with the REST endpoint being visible? You can disable the query capability on the service to prevent anonymous users from seeing the data in the layer, and restrict editing to adding new features only.

You'll still be potentially vulnerable to your form / service getting spammed, but I don't think you can avoid that.

- Josh Carlson
Kendall County GIS

abureaux

I would agree with @jcarlson. And to take this one step further, if your Portal exists on the internets, it's being scanned and copied automatically by more people than you can shake a stick at and yell "get off my ~~lawn~~ network". Security is very important, and Esri has numerous recommendations surrounding this (here is a good one targeted at S123 to get started).

Essentially, you can assume people know that your server exists and where it exists. But you can prevent them from getting access to files they shouldn't see via security. Malicious means aside, that security should give you the privacy that you need.

If you want no one to know that your server exists, then you probably need it in an offline environment.