Security

Use as a backend service

                  ┌─ Server ────────────────────────────────────────┐
                  │                                                 │
┌──────────────┐  │   ┌─────────────────┐   ┌────────────────────┐  │
│              │  │   │                 │   │                    │  │
│   API User   ├──┼──►│ Backend Service ├──►│ REST Server (Unity)│  │
│              │  │   │                 │   │                    │  │
└──────────────┘  │   └─────────────────┘   └────────────────────┘  │
                  │                                                 │
                  └─────────────────────────────────────────────────┘

This architectural pattern adds an additional out-of-unity server that handles all incoming calls and is the frontend for the REST API user. This backend service takes care of all security relevant aspects like sanitization, authentication and others. The backend service can also be used to abstract a low level REST API from Unity into a higher application level interface. The Unity REST server, for example, can provide low level calls, like SetPosition or MoveTo as the Backend Service can implement some higher level animation interface like PlayAnimationX.

Bind to any IP and use in a secured network Deprecated in 1.5.0

┌─ Secured/Private Network ──────────────────────────┐
│                                                    │
│                    ┌─ Server ───────────────────┐  │
│                    │                            │  │
│  ┌──────────────┐  │   ┌────────────────────┐   │  │
│  │              │  │   │                    │   │  │
│  │   API User   ├──┼──►│ REST Server (Unity)│   │  │
│  │              │  │   │                    │   │  │
│  └──────────────┘  │   └────────────────────┘   │  │
│                    │                            │  │
│                    └────────────────────────────┘  │
│                                                    │
└────────────────────────────────────────────────────┘

It’s technical possible to expose the REST server to any interface/network. While this can be done by code, the network (or your implementation) should then take care of security. This architecture could be useful if you are using Unity inside a render farm, that is protected from the outside.

The REST Server can be bind to any interface with this example code

public class MyServer : RestServer {
    public override void StartServer() {
        Server?.Stop();

        Server = new LowLevelHttpServer(
            EndpointCollection, 
            IPAddress.Any /* Important change */, 
            port
        );
        Server.Start();
    }
}

Bind to any Interface New in 1.5.0

It’s technical possible to expose the REST server to any interface/network. While this can be done, the network (or your implementation) should then take care of security. The rest server can be bound to any available IP via the property ListenAddress, like this:

void Start() {
    restServer.ListenAddress = new IPAddress(new byte[] {100, 100, 100, 100});
    restServer.StartServer();
}

Note that the ip must be available as interface on the machine the rest server is running on.

Alternatively, and much easier, the listen interface can be changed in the inspector

Change listening interface/address in the inspector