Skip to content

Commit

Permalink
docs: add warning for security concerns on deploying in prod with cus…
Browse files Browse the repository at this point in the history
…tom secret
  • Loading branch information
Juiced66 committed Oct 15, 2024
1 parent dca8c86 commit c79dbaa
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions doc/2/guides/getting-started/deploy-your-application/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,18 @@ This deployment does not use any SSL encryption (HTTPS).
A production deployment must include a reverse proxy to securize the connection with SSL.
:::

::: warning
#### Production Deployment: Auth Token Secret

For every production deployment of Kuzzle, it is essential to set the kuzzle_security__authToken__secret environment variable. This ensures that the JWT secrets used for authenticating requests are generated externally and not stored in Elasticsearch. By managing the secret through an environment variable, you enhance security, prevent potential data exposure, and ensure tokens remain valid only as long as the secret remains unchanged.

Important: If the `kuzzle_security__authToken__secret` value is changed when Kuzzle restarts, all existing tokens will be invalidated. This ensures that only tokens signed with the current secret remain valid, adding an extra layer of security.

For default configuration values, you can refer to [the sample Kuzzle configuration file](https://github.com/kuzzleio/kuzzle/blob/master/.kuzzlerc.sample.jsonc).

Note: If the secret is not set, Kuzzle will fallback to a less secure method of generating and storing the secret, which is not recommended for production environments.
:::

## Prepare our Docker Compose deployment

We are going to write a `docker-compose.yml` file that describes our services.
Expand Down

0 comments on commit c79dbaa

Please sign in to comment.