SAS/IntrNet 8.2: Application Dispatcher |
The Application Dispatcher has several debugging options that can be turned on and off through the _DEBUG field in Dispatcher requests. Some of these options might represent security risks, including a few that are not documented and are used by Technical Support. For example, the Dispatcher includes an option to show the SAS log (which might contain source code), the host name and port number where the Application Server is running, or a list of all services known to the Broker.
To create a secure Dispatcher setup, decide which debugging options you want to allow and set the value of DebugMask or ServiceDebugMask in the Broker configuration file to the sum of those options. Add together the debug values that you want to allow and use that number in the directive. For example, if you want to allow only the field echo (1), status message (2), and output dump (16) values, you would set DebugMask to 19 (1+2+16).
Note: By default, all debugging options are allowed because the DebugMask and ServiceDebugMask directives are global and by-service directives.
The default value for the DebugMask is 32767, which is acceptable for most sites. The value 32767 indicates that all debug values are allowed. If you comment out the DebugMask option by maintaining the # sign in front of DebugMask, you are also allowing all debug values.
Some debug values pose a security risk, so it is recommended that you selectively disable these values by specifying a different DebugMask value. Setting a different DebugMask value dictates the allowable values for the _DEBUG field in the HTML form or link.
SAS/IntrNet 8.2: Application Dispatcher |