Security

Neither NetCoreServer nor Unity’s C# implementation and/or Source Code transformation have been checked against all possible Security issues. Needless to say, the server should not be exposed to the internet or to any other insecure network. This component binds against localhost only for this reason by default.

Use as a backend service

                  ┌─ Server ────────────────────────────────────────┐
                  │                                                 │
┌──────────────┐  │   ┌─────────────────┐   ┌────────────────────┐  │
│              │  │   │                 │   │                    │  │
│   API User   ├──┼──►│ Backend Service ├──►│ REST Server (Unity)│  │
│              │  │   │                 │   │                    │  │
└──────────────┘  │   └─────────────────┘   └────────────────────┘  │
                  │                                                 │
                  └─────────────────────────────────────────────────┘

This architectural pattern adds an additional out-of-unity server that handles all incoming calls and is the frontend for the REST API user. This backend service takes care of all security relevant aspects like sanitization, authentication and others. The backend service can also be used to abstract a low level REST API from Unity into a higher application level interface. The Unity REST server, for example, can provide low level calls, like SetPosition or MoveTo as the Backend Service can implement some higher level animation interface like PlayAnimationX.

Bind to any IP and use in a secured network

┌─ Secured/Private Network ──────────────────────────┐
│                                                    │
│                    ┌─ Server ───────────────────┐  │
│                    │                            │  │
│  ┌──────────────┐  │   ┌────────────────────┐   │  │
│  │              │  │   │                    │   │  │
│  │   API User   ├──┼──►│ REST Server (Unity)│   │  │
│  │              │  │   │                    │   │  │
│  └──────────────┘  │   └────────────────────┘   │  │
│                    │                            │  │
│                    └────────────────────────────┘  │
│                                                    │
└────────────────────────────────────────────────────┘

It’s technical possible to expose the REST server to any interface/network. While this can be done by code, the network (or your implementation) should then take care of security. This architecture could be useful if you are using Unity inside a render farm, that is protected from the outside.

The REST Server can be bind to any interface with this example code

public class MyServer : RestServer {
    public override void StartServer() {
        Server?.Stop();

        Server = new LowLevelHttpServer(
            EndpointCollection, 
            IPAddress.Any /* Important change */, 
            port
        );
        Server.Start();
    }
}