Security - SSI-Solutions/vcms GitHub Wiki
CSRF
VCMS does currently not enforce CSRF protection as it is not ment to be accessed directly by frontend clients. The Spring Security configuration could be modified to include it if necessity aries (see Spring Security Documentation).
Authentication and Authorization
There is currently no authentication nor authorization layer on top of VCMS. If VCMS is used in a production environment, it is highly recommended to include one.
Nginx Plus or Spring Cloud Gatway are straight forward to act as an API Gateway and manageaccess control.
It is recommended to map different roles depending on the accessed APIs.
Role mapping example
| Role | API Access |
|---|---|
| Issuer | All Issuer and Connection APIs |
| Verifier | All Verifier and Connection APIs |