PauloASilva
commented
1 year ago Hi @sudeshgadewar123, What's your suggestion? How would you reflect that concern in the release candidate list?
Cheers, Paulo A. Silva
Closed sudeshgadewar123 closed 1 year ago
PauloASilva
commented
1 year ago Hi @sudeshgadewar123, What's your suggestion? How would you reflect that concern in the release candidate list?
Cheers, Paulo A. Silva
sudeshgadewar123
commented
1 year ago We should add this with adding security guidelines as a part of API Security
1) Need to know basis access 2) Need to know basic data in response based on the API contracts and use case 3) Configure only secure HTTP methods
PauloASilva
commented
1 year ago Hi @sudeshgadewar123, Still not sure I've completely understood your point.
Can you please check whether the following covers what you have in mind:
1. Need to know basis access 2. Need to know basic data in response based on the API contracts and use case
3. Configure only secure HTTP methods
Cheers, Paulo A. Silva
sudeshgadewar123
commented
1 year ago yes this does cover on using guidelines. may be we can link to this and how to mitigate the issue
API underlying configuration should be protected and should not be left open with spring Actuator as example. for ex - heapdump, threadump will result into dump of credentials, history. this has been seen quiet a bit in bug bounties
/auditevents lists security audit-related events such as user login/logout. Also, we can filter by principal or type among other fields. /beans returns all available beans in our BeanFactory. Unlike /auditevents, it doesn't support filtering. /conditions, formerly known as /autoconfig, builds a report of conditions around autoconfiguration. /configprops allows us to fetch all @ConfigurationProperties beans. /env returns the current environment properties. Additionally, we can retrieve single properties. /flyway provides details about our Flyway database migrations. /health summarizes the health status of our application. /heapdump builds and returns a heap dump from the JVM used by our application. /info returns general information. It might be custom data, build information or details about the latest commit. /liquibase behaves like /flyway but for Liquibase. /logfile returns ordinary application logs. /loggers enables us to query and modify the logging level of our application. /metrics details metrics of our application. This might include generic metrics as well as custom ones. /prometheus returns metrics like the previous one, but formatted to work with a Prometheus server. /scheduledtasks provides details about every scheduled task within our application. /sessions lists HTTP sessions given we are using Spring Session. /shutdown performs a graceful shutdown of the application. /threaddump dumps the thread information of the underlying JVM.