As the SMP is publicly available on HTTP port 80 and does not require a client certificate
or anything the like it especially the modifying actions (HTTP
must be handled with special care to avoid man in the middle attacks.
Even though HTTP BasicAuth is used this is not really added security, as the username and password
are only Base64 encoded - which is easily decodable - and are therefore vulnerable to
Man in the Middle attacks.
The recommended scenario is to additionally configure the SMP to run on HTTPS (on any port other than 80), and do the modifying actions only via HTTPS. BasicAuth is required anyway but the data is not readable by third-parties because of the underlying transport security. This is something that is currently technically not available but should be used as a convention when running an SMP with this implementation.
For a future release it may be of value when the modifying actions are presented with a separate
path prefix (e.g.
/secure) which can than easily be used to forward all HTTP request
/secure/* to HTTPS automatically.
Currently the following predefined paths are available outside the minimum REST API: