Security

This chapter is for operators deploying KalamDB in staging/production.

Security Baseline Checklist

1. Serve API behind HTTPS (TLS at edge proxy/load balancer).
2. Set strong auth.jwt_secret and keep it out of source control.
3. Keep auth.allow_remote_setup = false after initial bootstrap.
4. Restrict CORS and WebSocket origins to known domains.
5. Keep rate limiting and request-size limits enabled.
6. Restrict setup/health/admin-sensitive routes to trusted networks.
7. For clusters, enable cluster.rpc_tls (mTLS between nodes).

Baseline Config Example

[auth]
jwt_secret = "replace-with-strong-random-secret-32-plus-chars"
cookie_secure = true
allow_remote_setup = false
 
[rate_limit]
enable_connection_protection = true
max_auth_requests_per_ip_per_sec = 20
max_requests_per_ip_per_sec = 200
max_connections_per_ip = 100
 
[security]
max_request_body_size = 10485760
max_ws_message_size = 1048576
strict_ws_origin_check = true
allowed_ws_origins = ["https://app.example.com"]
 
[security.cors]
allowed_origins = ["https://app.example.com", "https://admin.example.com"]
allow_credentials = true

High-Risk Misconfigurations To Avoid

• Wildcard browser origins in production
• Disabled rate-limit middleware in public deployments
• Short/static JWT secrets shared across environments
• Leaving remote setup enabled permanently
• Exposing cluster RPC ports publicly

Incident Response Priorities

1. Rotate compromised JWT secrets/certificates
2. Disable compromised users/service accounts
3. Tighten ingress and rate limits during active abuse
4. Preserve logs for forensic review

Related Docs

• Rate Limiting
• Advanced Configuration
• OIDC & Issuer Trust
• Keycloak
• OpenTelemetry (OTEL)