GCN Product Security Guide

This documentation provides recommendations for secure coding practices when using the Micronaut^® framework. To understand the security architecture of Micronaut, see Micronaut Security Architecture.

Secure Configuration #

Micronaut supports configuration using common formats such as YAML or Java properties files. These can be defined as part of the project in, for example, src/main/resources/application.properties.

This is an example of server port configuration:

micronaut.server.port.8080

Whenever you provide configuration in source files that can be included in a source repository, you should never include passwords, secrets, tokens, or any other potentially sensitive information. Micronaut has a variety of mechanisms available to externalize sensitive configuration such as secrets.

SSL Configuration #

Micronaut requires that you configure and enable SSL and, when doing so, use known secure cryptography algorithms.

A self-signed certificate should never be used (Micronaut will print a warning if self-signed certificates are enabled).

Micronaut Management #

Micronaut includes an optional Management module that exposes management endpoints over HTTP. By default no sensitive data is exposed by these endpoints, however you should configure and run these management endpoints on a separate port which is not exposed and accessible externally. This can be done using the following configuration:

endpoints:
  all:
    port: 8085

The above example runs the management endpoints on port 8085.

Micronaut Security #

When combined with Micronaut Security, Micronaut will lock down all available endpoints including static resources by default.

When opening up rules to allow authenticated users to access resources, rules should be as limited in scope as possible. We recommend the following:

• Be extra cautious when defining intercept URL maps using wild cards that open up multiple resources.
• Avoid use of the IS_ANONYMOUS security annotation at the type level that opens up all methods of that type to anonymous access.

When using JWT-based authentication, you should configure JWT encryption to use known secure cryptography algorithms.