1.5 KiB
////////////////////////////////////////////////////////////////////////////////
/// @startDocuBlock serverAuthenticateSystemOnly
/// @brief whether or not only requests to internal URLs need authentication
/// --server.authenticate-system-only boolean
///
/// Controls whether incoming requests need authentication only if they are
/// directed to the ArangoDB's internal APIs and features, located at
/// /_api/,
/// /_admin/ etc.
///
/// IF the flag is set to true, then HTTP authentication is only
/// required for requests going to URLs starting with /_, but not for other
/// URLs. The flag can thus be used to expose a user-made API without HTTP
/// authentication to the outside world, but to prevent the outside world from
/// using the ArangoDB API and the admin interface without authentication.
/// Note that checking the URL is performed after any database name prefix
/// has been removed. That means when the actual URL called is
/// /_db/_system/myapp/myaction, the URL /myapp/myaction will be used for
/// authenticate-system-only check.
///
/// The default is false.
///
/// Note that authentication still needs to be enabled for the server
/// regularly
/// in order for HTTP authentication to be forced for the ArangoDB API and the
/// web interface. Setting only this flag is not enough.
///
/// You can control ArangoDB's general authentication feature with the
/// --server.disable-authentication flag.
/// @endDocuBlock
////////////////////////////////////////////////////////////////////////////////