diff --git a/esignet-service/src/main/resources/application-default.properties b/esignet-service/src/main/resources/application-default.properties index 064b6a546..741ad8cfd 100644 --- a/esignet-service/src/main/resources/application-default.properties +++ b/esignet-service/src/main/resources/application-default.properties @@ -108,13 +108,16 @@ mosip.esignet.security.auth.post-urls={'/client-mgmt/**' : {'SCOPE_add_oidc_clie mosip.esignet.security.auth.put-urls={'/client-mgmt/**' : { 'SCOPE_update_oidc_client'} } mosip.esignet.security.auth.get-urls={'/system-info/**' : { 'SCOPE_get_certificate'} } -mosip.esignet.security.ignore-csrf-urls=/oidc/**,/oauth/**,/actuator/**,/favicon.ico,/error,\ +mosip.esignet.security.ignore-csrf-urls=/oidc/**,/oauth/**,/actuator/health,/actuator/health/**,/actuator/info,/actuator/prometheus,/favicon.ico,/error,\ /swagger-ui/**,/v3/api-docs/**,/linked-authorization/link-transaction,/linked-authorization/authenticate,\ /linked-authorization/consent,/binding/**,/client-mgmt/**,/system-info/**,/linked-authorization/v2/link-transaction,\ /linked-authorization/v2/authenticate,/linked-authorization/v2/consent +# SECURITY: Do NOT whitelist /actuator/** here. Only allow the specific safe endpoints (health, info, prometheus) +# to be reachable without authentication. All other actuator endpoints must require auth (or be blocked at network level). mosip.esignet.security.ignore-auth-urls=/csrf/**,/authorization/**,/linked-authorization/**,/oidc/**,/oauth/**,\ - /actuator/**,/favicon.ico,/error,/swagger-ui/**,/v3/api-docs/**,/binding/** + /actuator/health,/actuator/health/**,/actuator/info,/actuator/prometheus,\ + /favicon.ico,/error,/swagger-ui/**,/v3/api-docs/**,/binding/** spring.security.oauth2.resourceserver.jwt.issuer-uri=${keycloak.external.url}/auth/realms/mosip spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${keycloak.external.url}/auth/realms/mosip/protocol/openid-connect/certs diff --git a/esignet-service/src/main/resources/bootstrap.properties b/esignet-service/src/main/resources/bootstrap.properties index 48ce1160f..e9748deb8 100644 --- a/esignet-service/src/main/resources/bootstrap.properties +++ b/esignet-service/src/main/resources/bootstrap.properties @@ -36,12 +36,19 @@ server.tomcat.accesslog.file-date-format= server.tomcat.basedir=. server.tomcat.accesslog.pattern={"@timestamp":"%{yyyy-MM-dd'T'HH:mm:ss.SSS'Z'}t","level":"ACCESS","level_value":70000,"traceId":"%{X-B3-TraceId}i","spanId":"%{X-B3-SpanId}i","statusCode":%s,"req.requestURI":"%U","bytesSent":%b,"timeTaken":%T,"appName":"${spring.application.name}","req.userAgent":"%{User-Agent}i","req.xForwardedFor":"%{X-Forwarded-For}i","req.referer":"%{Referer}i","req.method":"%m","req.remoteHost":"%a"} -## Prometheus +## Prometheus / Actuator +# SECURITY: Restrict actuator exposure to only required endpoints. Do NOT use '*', +# as that exposes sensitive endpoints such as /actuator/env, /actuator/beans, /actuator/configprops, /actuator/heapdump. +management.endpoints.web.exposure.include=health,info,prometheus +management.endpoints.web.exposure.exclude=env,beans,configprops,heapdump,threaddump,loggers,mappings,scheduledtasks,caches,conditions,httptrace,shutdown management.endpoint.metrics.access=read-only -management.endpoints.web.exposure.include=* management.endpoint.prometheus.access=read-only management.prometheus.metrics.export.enabled=true -management.endpoint.env.show-values=ALWAYS +# SECURITY: Never reveal raw env / configprops values; hide health details from anonymous callers. +management.endpoint.env.show-values=NEVER +management.endpoint.configprops.show-values=NEVER +management.endpoint.health.show-details=never +management.endpoint.health.show-components=never # disable mapping unknown endpoints to static resources instead throw exception spring.web.resources.add-mappings=false \ No newline at end of file