Data Security

Opensolr Data Security — find answers to your questions

Information Security Policy

🛡️ Opensolr Information Security Policy

This document outlines Opensolr’s current data security and privacy practices.
Our policies evolve with the industry, so please check back for updates or Contact Us with suggestions.

1. Introduction

  • Opensolr is ISO9001 & ISO27001 Certified
    (Recognized standards for quality and information security.)

  • Types of Data Processed:

    • Logical Data:
      • User identification and profile data.
      • Used to provide the Solr Cloud Hosting Platform and related services, managed securely with Role-Based Access Control (RBAC).
    • Solr Data:
      • The data you host with Opensolr, in your own designated environment/server.
      • Stored globally with leading datacenter and cloud providers, including:

2. 🔒 Confidentiality

  • All data types are protected under our GDPR Information Security Policies and our main privacy policy.

  • Logical Data:

    • Securely stored on encrypted Opensolr Main Data Servers (AWS Cloud).
    • Identifies each user (free, paid, or blocked status).
    • User activity logs are encrypted and provide a full transparency trail.
    • Only accessible to the Opensolr Account Owner via the Control Panel.
    • Security policies:
      • User/Password Authentication
      • Two-Factor Authentication (Authy/SMS, optional)

  • Solr Data:

    • Securely stored per your choice of datacenter/cloud.
    • Security policies:
      • SSL Data Transmission
      • HTTP Authentication
      • IP Access-Based Authorization
    • Accessible only to the Account Owner and invited team members (verified).
    • Never made public unless the Owner explicitly authorizes it, via our Support Helpdesk.

3. 🧩 Integrity

  • Logical Data (User Identity):
    • Not changed by Opensolr employees except:
      • Upon explicit owner request (via Support Helpdesk).
      • By the owner through the Control Panel (with full change logs).
  • Solr Data:
    • Updated/removed only by the Account Owner or authorized team members after passing security checks.

4. ⚡ Availability

  • All authorized users have reliable, timely access to Opensolr services.
  • Infrastructure is built for high availability and resilience, even during failures.
  • Risk mitigation & high availability:
    • Solr Data Backup tools for creating, downloading, or restoring data/configs.
    • Solr Index Replication for direct index replicas across regions.
    • Main system replication & redundancy worldwide.
    • Custom and third-party Web Application Firewall (WAF) systems (e.g., Apache mod_security).

5. 🎯 Authenticity

  • Uses the latest SSL standards and configurations for secure, authentic transfers.
  • Never requests or transfers biometric or location data.
  • All data transfers are subject to:
    • WAF AI verification (blocking/whitelisting)
    • SSL security keys and fingerprint verification for authentic transmissions

6. 📝 Non-Repudiation

  • Opensolr keeps detailed logs and revisions of all critical data transfers, user identification, and actions.
  • All support interactions are logged and revisioned via our Support Helpdesk System.

Questions or feedback?
Contact us here.

Read Full Answer

GDPR Privacy Agreement

📄 Opensolr General Data Privacy Terms

1. Membership and Agreement

2. Data Collected by Opensolr

  • Opensolr collects minimal mandatory data at registration:
    • Email address
    • Chosen password
  • You may change your password at any time.
  • To update your registration email address, submit a formal request to support@opensolr.com.
  • Members may optionally add more personal data (e.g., website, social links) and create Opensolr Cloud Indexes to store data as needed.
  • Opensolr does NOT directly collect, store, or process any billing or payment information from members or third parties.
  • Your Solr Index Data is never accessible to Opensolr staff, subcontractors, or third parties without your consent—except in urgent technical emergencies required to restore service.

3. Personal Data Processing

  • Opensolr will never make public, sell, or trade any member’s personal information.
  • Your email address is used solely for login and identification.
  • Strict security measures protect all data stored and processed via Opensolr cloud infrastructure.
    See our Cloud Data Security FAQ for more details.
  • As above, Opensolr never directly collects or stores billing or payment data.
    All payments and billing are processed through highly secure, PCI-compliant APIs provided by Stripe.com.

4. Data Security

  • All data on Opensolr infrastructure is protected by SSL encryption.
  • SSL certificates are re-keyed and renewed annually.
  • Opensolr.com always uses EV-SSL for maximum browser and user trust.
  • All accounts can activate Two-Factor Authentication (2FA) via SMS or Authy.
    Our 2FA system is delivered securely via SSL and managed by Twilio.

5. Communication Policy

  • Opensolr will never send unsolicited emails or postal mail.
  • All official Opensolr communications are mandatory for members and limited to:
    • System maintenance and emergency alerts
    • Membership notifications (trial expiration, resource usage, password resets, etc.)
    • Service developments and updates relevant to all members

To opt out of Opensolr communications, you must request account cancellation by emailing support@opensolr.com.

Read Full Answer

Opensolr is ISO9001 and ISO27001 Certified

🏆 Opensolr: ISO27001 & ISO9001 Certified

Why ISO Certification Matters

At Opensolr, we believe that trust, quality, and security are the foundation of every successful search solution.
That’s why we’re proud to be officially certified for both ISO27001 (Information Security Management) and ISO9001 (Quality Management).

🔐 ISO27001: Information Security Management

  • World-class data protection: Your data is managed using global best practices for confidentiality, integrity, and availability.
  • Continuous risk management: We proactively identify and mitigate security threats to keep your information safe.
  • Compliance assurance: Our ISO27001 certification means Opensolr meets strict requirements recognized by businesses and regulators worldwide.

🏅 ISO9001: Quality Management

  • Consistent, reliable service: Our processes are optimized for quality, efficiency, and continuous improvement.
  • Customer focus: We put your needs at the center of everything we do, driving high customer satisfaction.
  • Process transparency: ISO9001 ensures clear procedures, fewer errors, and a smooth customer experience.

🌍 The Benefits for You

  • Peace of mind: Your data and services are protected by proven, independently audited standards.
  • Business readiness: Opensolr can support even the most demanding enterprise, compliance, and public sector requirements.
  • Trusted partnership: Our commitment to quality and security is not just a promise—it’s certified.
ISO9001 Certified ISO27001 Certified

Want to know more about our certifications or request documentation?
Contact our team — we’re happy to help.

Read Full Answer

Solr Cloud data security

🔐 Opensolr Security Mechanisms

At Opensolr, your data security is at the heart of everything we do.
Here are the key security mechanisms we implement to keep your search infrastructure safe:

1. 🛡️ IP Access Rules per Request Handler

  • Restrict access to critical Solr request handlers (such as /select, /update, etc.) by IP address.
  • Configure your own rules to allow only specific IP addresses or use the "all" wildcard for broader access.
  • Gain precise control over which systems can interact with your indexes.

2. 🔑 HTTP Authentication

  • Protect your index with a username and password, required for every request.
  • Ensure only authorized users and systems can access or update your Solr data.
  • Simple, robust access management for every request handler.

3. 🔒 SSL Connections

  • All communication—across the Opensolr website and all cloud servers—is protected by state-of-the-art SSL encryption.
  • Safeguard your data in transit, with industry-standard encryption for all web and API traffic.
Opensolr Security

Want to learn more about how we protect your data or set up advanced security?
Contact our team—we’re here to help.

Read Full Answer

CORS Ajax requests directly to Opensolr Index.

🌐 Opensolr AJAX & HTTP Authentication Requests

AJAX-based HTTP requests are a modern, secure way to interact with Opensolr from your own web applications and client-side scripts.
To ensure maximum security for our users and infrastructure, Opensolr implements a strict CORS (Cross-Origin Resource Sharing) and origin whitelisting policy for all AJAX requests that require HTTP Authentication.

🔒 Why Whitelisting Is Required

  • Security First:
    Restricting allowed origins helps protect your Solr data from unauthorized or malicious cross-site requests.
  • Minimizing Attack Surface:
    Only approved domains can interact with your index via AJAX, which blocks drive-by and XSS-style attacks.
  • Compliance:
    Many enterprise and regulatory frameworks require origin controls for API and cloud service access.

🚦 How to Request AJAX HTTP Auth Access

To enable AJAX access from your website or app, follow these steps:

  1. Submit a Support Ticket

    • Click the link and fill out the ticket form.

  2. Provide the Following Details:

    • Origins:
      The exact domains or origins (e.g., https://yourapp.com, https://admin.partner.com) you will be making AJAX requests from.
    • Index or Cluster Name:
      The name of the Solr index or cluster you want to access via AJAX.
    • Account Email:
      The email address used to register your Opensolr account.

  3. We Whitelist Your Origins:
    Our team will configure the Opensolr cloud to allow AJAX requests only from your specified domains.

🛡️ What Happens Next?

  • Once your origins are whitelisted, you’ll be able to make secure, authenticated AJAX requests to your Opensolr index.
  • Requests from other, non-approved domains will be blocked by default for your safety.
  • You can update your list of allowed origins at any time—just submit another ticket!

Have questions or special requirements?
Contact support—we’re here to help you build securely and confidently with Opensolr.

Read Full Answer

Default HTTP Auth Credentials

🔑 Opensolr Index HTTP Authentication Policy

It is now mandatory that every Opensolr index is protected with HTTP authentication to ensure security and privacy.

🚀 Default Credentials for New Indexes

When you create a new index, Opensolr automatically sets up HTTP Auth credentials:

  • Username:
    opensolr
  • Password:
    Your account’s Automation REST API KEY

You can find your API KEY in your Opensolr dashboard.

🛠️ How to Change HTTP Auth Credentials

You may change your HTTP Auth username and password at any time:

  1. Go to your Opensolr Index Control Panel.
  2. Click the Security tab on the left menu.
  3. Update your credentials as needed.

⚠️ Important Notes on API Keys

  • When you generate a new API KEY in your Control Panel Dashboard:
    • Newly created indexes will use the new API KEY as their password.
    • Existing indexes will keep their old API KEY as the password.
      (Regenerating your API KEY does not change the password for indexes you created earlier.)

If you want to update the password for an existing index, change it manually in the Security tab.

💡 Pro Tip

  • Keep your API KEY confidential—it acts as the password for HTTP authentication.
  • Regularly review and update your credentials, especially if you rotate API keys for security.

Need help or have questions?
Contact Opensolr support anytime!

Read Full Answer

Solr Index with HTTP Authentication

Overview

Opensolr provides multiple layers of security to protect your Solr index data. You can use HTTP Authentication, IP-based access rules, and SSL encryption — individually or combined — to ensure only authorized clients can access your index.

How to Enable HTTP Authentication

  1. Log in to the Opensolr Control Panel.
  2. Click on your index name to open its management page.
  3. Navigate to the Security tab.
  4. Under Manage HTTP Auth Credentials, set your desired username and password.
  5. Save your changes. HTTP Authentication is now active on your index.

Once enabled, every request to your index (including /select, /update, and all other request handlers) will require valid HTTP Basic Authentication credentials.

Using HTTP Auth in Your Application

When HTTP Auth is enabled, include your credentials in every request. For example, with curl:

curl -u "your-username:your-password" \
  "https://YOUR_SOLR_HOST/solr/YOUR_INDEX/select?q=*:*"

Most Solr client libraries (Solarium, SolrJ, pysolr, etc.) support HTTP Basic Authentication in their configuration.

IP-Based Access Rules

In addition to HTTP Auth, you can restrict access to specific request handlers based on IP address:

  • Navigate to the Security tab in your index management page.
  • Under Add new Access IP Address, you can define which IP addresses are allowed to access specific request handlers (/select, /update, etc.).
  • By default, the wildcard "all" is set, meaning all IP addresses can access all request handlers.
  • You can restrict /update to only your server IP while leaving /select open, for example.

This is useful for ensuring that only your backend servers can write to the index, while read access may be broader.

SSL Encryption

All connections throughout the Opensolr platform — including the website and all Solr cluster servers — are secured with SSL/TLS encryption. This means your data and credentials are encrypted in transit at all times. No additional configuration is needed; simply use https:// URLs.

Security Best Practices

  • Always enable HTTP Auth if your index contains sensitive or proprietary data.
  • Restrict /update access to your server IPs only — this prevents unauthorized data modification.
  • Use strong credentials and rotate them periodically.
  • Never expose credentials in client-side JavaScript. Proxy Solr requests through your backend.

Need help configuring security for your index? Contact Us and we will assist you.

Read Full Answer

The log4j Vulnerability (CVE-2021-44228)

🛡️ Opensolr & The Log4j Vulnerability (CVE-2021-44228)

What is the log4j exploit?

The log4j vulnerability (CVE-2021-44228) is a critical security issue discovered in December 2021.
It allows attackers to execute remote code on vulnerable systems, by exploiting the way log4j logs certain input—potentially turning any untrusted log entry into a system command.

Summary:
If a vulnerable application logs user-controlled input using log4j, an attacker can craft input that gets executed as code on the server.

🚨 Is Opensolr affected by the log4j exploit?

No. The Opensolr service is not vulnerable.
This vulnerability was fully patched across the entire Opensolr ecosystem on December 11, 2021.

Your Solr data and indexes hosted by Opensolr have been—and remain—protected.

📋 Did this vulnerability impact my servers or data?

No.

  • Opensolr patched all managed environments immediately after the vulnerability was disclosed.
  • However: We strongly recommend you review and patch any of your own Java applications or infrastructure, if they use log4j.

🧩 Am I safe if I’m running Solr version 1–8?

Yes.

  • The Opensolr patch protects all Solr versions, regardless of which you are running.
  • This was not a Solr-specific issue—it was a vulnerability in the log4j library, used by many Java applications.
  • If log4j is patched, your Solr install is safe.

Need a different Solr version?

  • You can add a new index with a recent Solr version container/server from your Opensolr Control Panel.
  • (Custom migrations or upgrades can be performed by our team for a fee.)

⚠️ What if I run Solr or other Java apps myself?

  • If you manage your own Java services (inside or outside Opensolr), you should patch or update log4j immediately.
  • There are many detailed guides and official resources available online:

🛡️ Best Practices & Next Steps

  • Always apply vendor security patches promptly.
  • Monitor official Solr and Apache log4j channels for updates.
  • Contact Opensolr support for assistance or questions about your managed indexes.

Security is a shared responsibility. Opensolr is committed to protecting your data and providing fast, transparent responses to new threats.

Read Full Answer

DataImport (DIH) Disabled by Default

Dataimport (DIH) can not be reached

Due to certain security concerns, the dataimport (DIH) Solr feature is now globally disabled, form the entire Opensolr ecosystem.
However, you are still free to use the dataimport (DIH) Solr feature, by requesting that we enable it for your index(es), using our Support Helpdesk, at: https://opensolr.freshdesk.com/ or, directly via email, at support@opensolr.com

Important:

  • It is now mandatory, that every Opensolr index is password protected.
  • When creating a new index, the default HTTP Auth credentials, are: 
        <ul>
        <li>Username: <strong>opensolr</strong></li>
        <li>Password: Your account&#39;s <strong>Automation REST API KEY</strong>, that can be found in your <a href="https://opensolr.com/admin/solr_manager/dashboard" rel="noopener noreferrer" target="_blank">dashboard</a>, at: <a href="https://opensolr.com/admin/solr_manager/dashboard">https://opensolr.com/admin/solr_manager/dashboard</a></li>
    </ul>
</li>
<li>You can always change your HTTP Auth credentials, from your Opensolr Index Control Panel, by clicking on the Security tab, on the left side of the index administration menu.</li>
Read Full Answer

How to enable Two Factor Authentication

You can enable TFA in your Opensolr account as follows:

Read Full Answer