OTRS Academy » Documentation » OTRS API Reference Perl » Kernel::WebApp

Kernel::WebApp

October 13, 2025

NAME

Kernel::WebApp – Entry point for the built-in web server based on Mojolicious.

DESCRIPTION

This class represents the OTRS web application, an HTTP server based on Mojolicious.

It serves both the legacy front-end(s) of OTRS, such as the agent interface, and also the webpack-based new External Interface frontend application.

Security Concept of the Agent & External Interfaces and the REST API

All modern front-ends are client-side, single-page applications generated with webpack, that use a REST API on the server. This is what most of Kernel::WebApp is about. The following security measures are in place:

Content Security Policy

Content Security Policy headers are set for the client application, restricting access to the current server only. See Kernel::WebApp::Controller::Role::SetsSecurityHeaders for details.

Most notably, JavaScript code can only be fetched from the webpack-generated assets folder. Any other scripts (inline, from different folders or from remote) will be ignored. Also other resource types are restricted as much as possible.

JSON Web Tokens

For authentication, JSON Web Tokens (RFC 7519) are used for cryptographically secured, client-side storage of authentication information. These tokens have to be sent using the standard HTTP Authentication header. They contain only minimal information (such as username) are stored in the localStorage on the client side. Tokens can be revoked in the session administration.

The tokens also include information about the remote IP address, and are invalidated if this changes (can be turned off with the CheckSessionRemoteIP option). This also works behind reverse proxies, if proxy support is enabled in WebApp.conf.

Endpoints can specify that they can only be used with a valid token, otherwise a 401 Unauthorized response will be automatically generated (see Kernel::WebApp::Controller::API::Role::RequiresCustomerAuthentication).

Restricted use of Cookies

Endpoints can specify that they can also be called with a cookie containing the token. This is necessary, because in some contexts (like loading inline images) it is not possible to send custom HTTP headers.

To guard against CSRF attacks, these cookies are generated by the server with the httpOnly option, and are only accepted by the endpoints that really need it.

Deep validation of input data

Endpoints specify which kind of input data they expect (see Kernel::WebApp::Controller::API::Role::ValidatesInputData and Kernel::System::DataValidation). This will cause an implicit validation of this data and can include deep validations like checking for an existing TicketID.

In case of errors, a 422 Unprocessable Entity response will automatically be generated.

PUBLIC INTERFACE

startup()

This method will run once at server start.

LoadPlugins()

Locate and load all plugins from Kernel/WebApp/Plugin.

LoadRoutes()

Locate and load all routes from Kernel/WebApp/Controller.

FacebookXEmailLinkedIn
Scroll to Top