Both guides talk about URIs Restriction:
- Restrict access to URIs that you do not use, and prevent internal endpoints such as /sessionservice from being reachable over the Internet.
- Restrict access to URIs not used by your use-cases: internal endpoints SHOULD NOT be reachable from the Internet (/sessionservice and accompanies).
What exactly is "such as /sessionservice"? What exactly is "/sessionservice and accompanies"?
Don't you feel annoyed when you read such hardening guide? Which endpoint(s) are to be restricted?
Luckily, there is this Security Advisory from ForgeRock.Vulnerable endpoints:
How do we go about restricting the endpoints in Apache HTTPD server if it is deployed as a reverse proxy to the OpenAM server?
The above only allow access to the endpoints from a fixed range of internal IP address.
If we want to further harden by disallowing REST APIs calls, we can add "identity" to LocationMatch.