Security Considerations
Please consult the topics below for various security considerations.
Endpoint Security
It’s important to prevent outside access to the internal API’s. By default these are available from 127.0.0.1:8081
and are not protected with API security.
When exposing the external APIs to your internal network, take the appropriate measures to secure the API’s (SSH, API security, etc).
In addition to securing the internal APIs, it’s recommended to limit access to the public APIs using a reverse proxy. This will allow you to control access to the public APIs, do TLS termination and add additional security measures. Block any path that’s not used by the Nuts node.
D(D)oS Protection
Consider implementing (D)DoS protection on the application layer for all public endpoints. Monitor and log the following metrics:
Number of requests per second
Number of requests from a single IP address
Amount of non-20x responses
Any outliers should be investigated.
Maximum client body size for public-facing POST APIs
Various parts of the Nuts Node API allow for POST requests. To prevent abuse, you should limit the size of the request body. The following public APIs accept POST requests:
/discovery/{service}
/oauth2/{subjectID}/token
/oauth2/{subjectID}/request.jwt/{id}
/oauth2/{subjectID}/response
To prevent malicious uploads, you MUST limit the size of the requests. As a safeguard, the Nuts node will also limit the size of request bodies.
For example, Nginx has a configuration directive to limit the size of the request body:
client_max_body_size 1M;
The actual limit depends on your use case. It should be large enough for Verifiable Presentations to be uploaded, but small enough to prevent abuse.
Key rotation
It’s important to have a key rotation policy in place. The Nuts node uses keys for various signing operations. These operations are numerous and therefore keys should be rotated regularly.
Using did:web
The did:web
method allows for easier integration with existing web infrastructure. However, it’s also less secure and vulnerable to domain takeover.
When using did:web
, you should consider the following:
Protect your domain from takeover. Make sure it’s locked for a year after cancelling the domain.
Monitor calls to
**/did.json
on the domain and make sure they are handled by the Nuts Node.Using Hashicorp Vault or Microsoft Azure Key Vault to store the private keys is even more important when using
did:web
.Use DNS over HTTPS and enable DNSSEC.