Plugin: Access restriction to search results
Purpose
Use this plugin if you need to restrict the access to your search results.
This plugin allows you to specify a HTTP header or URL parameter and a token value that must be included with a search request for results to be returned.
This provides a token-based alternative for restricting access to search results.
When to use this plugin
When embedding the search in another system
Because this plugin controls access via a configured token that must be provided each time a search request is made, this is most useful when you embed the search in another system.
In this case the other system calls the search on the user’s behalf and can add in the additional headers when the request is made.
For example, if you call the search from Squiz Matrix using a REST asset, the asset can be configured to provide the token along with every request that is made to Funnelback.
Usage
Enable the plugin
-
Select Plugins from the side navigation pane and click on the Access restriction to search results tile.
-
From the Location section, select the results page to which you would like to enable this plugin from the Select a results page select list.
| The plugin will take effect as soon as you finish running through the plugin setup steps. |
Configuration settings
The configuration settings section is where you do most of the configuration for your plugin. The settings enable you to control how the plugin behaves.
| The configuration key names below are only used if you are configuring this plugin manually. The configuration keys are set in the results page configuration to configure the plugin. When setting the keys manually you need to type in (or copy and paste) the key name and value. |
Header or URL parameter name
Configuration key |
|
Data type |
string |
Required |
This setting is required |
Specifies the HTTP header or URL parameter name containing the security token
Parameter type
Configuration key |
|
Data type |
string |
Default value |
|
Allowed values |
HTTP REQUEST HEADER,URL PARAMETER |
Required |
This setting is optional |
Sets if the token is read from a specified HTTP request header, or a URL parameter.
Security token
Configuration key |
|
Data type |
Encrypted string |
Required |
This setting is required |
The value of the security token that must be provided as the value of the configured HTTP header when making the request.
The user will only be granted access to view the search results if the header name and token are supplied when making the query.
Allow unrestricted access for click tracking
Configuration key |
|
Data type |
boolean |
Default value |
|
Required |
This setting is optional |
This determines if the click tracking endpoint (/s/redirect) requires the token to be passed in the headers. This should be set to 'true' if you are not proxying click tracking via your CMS.
Under normal usage you should not need to secure the /s/redirect endpoint as it’s sole purpose is to log the click then redirect the user to the actual result URL, which will be protected by any CMS security.
Allow unrestricted access for auto-completion
Configuration key |
|
Data type |
boolean |
Default value |
|
Required |
This setting is optional |
This determines if the auto-completion endpoint (/s/suggest.json) requires the token to be passed in the headers. This should be set to 'true' if you wish to use auto-completion with your search. NOTE: before allowing unrestricted access, you should consider if the risk of exposing any information as auto-completion suggestions is acceptable. If the risk is unacceptable then auto-completion should not be used for the search.
Examples
This example shows how to configure the plugin to restrict access to a set of search results unless you provide the following in you HTTP headers when making your search request:
| HTTP header | Value |
|---|---|
|
|
To achieve this, the plugin must be configured with the settings:
| Plugin setting | Value |
|---|---|
Header or URL parameter name |
|
Security token |
|
Parameter type |
HTTP REQUEST HEADER |
|
The token you enter ( profile.cfg
If you wish to read the token from a URL parameter instead set the following when configuring the plugin:
If you wish to use auto-completion or click tracking with your search you should also set the following in your plugin configuration:
Allowing unrestricted access to these endpoints means that you can directly access these without requiring the token. Before enabling for auto-completion you should consider if there is an acceptable risk for any information that might be leaked in the auto-completion suggestions. For click tracking there isn’t really any risk because unrestricted access to the endpoint will only log a click then redirect the user to the URL for the result, which is still protected by your CMS. |