It is recommended that diagnostics be set to FALSE in
RESTfm.ini.php once successfully deployed. This will disable several features that may expose internal server information as well as improve performance. The features disabled are:
- report.php page (and it's callback dependencies).
- X-RESTfm-Trace on failures, included in 'info' section of response message.
- echo service page.
It is highly recommended that SSL be enabled in
RESTfm.ini.php (and optionally enforced in
.htaccess (Apache) or
web.config (IIS)) before proceeding to production use. Failure to use SSL encryption will result in user names and passwords (and API keys) to be sent in clear text, which will be clearly visible to any eavesdropper. Once enabled, any access to RESTfm without SSL will automatically be redirected to https://
Use strong passwords
Care of user names and passwords should be applied with the same vigilance as any network accessible account.
Use firewalls and VPNs
Care should be taken with sensitive data. Use firewalls or VPNs to limit access to RESTfm if global Internet access is not required.