Disable diagnostics

It is recommended that diagnostics be set to FALSE in RESTfm.ini.php once successfully deployed. This will disable several features that may expose internal server information as well as improve performance. The features disabled are:

  • report.php page (and it's callback dependencies).
  • X-RESTfm-Trace on failures, included in 'info' section of response message.
  • echo service page.

Enable SSL/TLS

It is highly recommended that SSL be enabled in RESTfm.ini.php (and optionally enforced in .htaccess (Apache) or web.config (IIS)) before proceeding to production use. Failure to use SSL encryption will result in user names and passwords (and API keys) to be sent in clear text, which will be clearly visible to any eavesdropper. Once enabled, any access to RESTfm without SSL will automatically be redirected to https://

Use strong passwords

Care of user names and passwords should be applied with the same vigilance as any network accessible account.

Use firewalls and VPNs

Care should be taken with sensitive data. Use firewalls or VPNs to limit access to RESTfm if global Internet access is not required.