I had already written about data security issue in GeoServer. Recently I also noticed that, an another security issue when I was working on GeoNode.
“GeoNode is a geospatial content management system, a platform for the management and publication of geospatial data. It brings together mature and stable open-source software projects under a consistent and easy-to-use interface allowing non-specialized users to share data and create interactive maps.”
After deploying in production Server, I have noticed a security issue that anyone can access your GeoNode layers data through a URL. I am mentioning this url below:
http://example.com /uploaded/ [example.com can be url]
So, when you type this url in web browser, a list of directories from the Geonode project repository will be displayed on the browser..
Please refer the snapshot below :
So, we can see, layers folder present in our web interface and when we click on layers folder. We can access the data published. Even after securing your GeoServer it will also show your data layers through this mentioned url in the GeoNode web interface.
Now, the question is how to secure your GeoNode, to avoid access to data and other static content hosted?
We have to change the folder alias name inside Apache geonode.conf file. Once we change the alias name, GeoNode child directory is inaccessible from on the web interface. So after successfully changing the alias name our data layers is secured and can’t be accessed through the web interface.
Please comment or suggest if you have experienced similar issue while working and how you have handled.