Security

This chapter is for operators deploying KalamDB in staging/production.

Security Baseline Checklist

1. Serve API behind HTTPS (TLS at edge proxy/load balancer).
2. Set strong auth.jwt_secret and keep it out of source control.
3. Keep auth.allow_remote_setup = false after initial bootstrap.
4. Restrict CORS and WebSocket origins to known domains.
5. Keep rate limiting and request-size limits enabled.
6. Restrict setup/health/admin-sensitive routes to trusted networks.
7. For clusters, enable cluster.rpc_tls (mTLS between nodes).

Baseline Config Example

1[auth]2jwt_secret = "replace-with-strong-random-secret-32-plus-chars"3cookie_secure = true4allow_remote_setup = false5 6[rate_limit]7enable_connection_protection = true8max_auth_requests_per_ip_per_sec = 209max_requests_per_ip_per_sec = 20010max_connections_per_ip = 10011 12[security]13max_request_body_size = 1048576014max_ws_message_size = 104857615strict_ws_origin_check = true16allowed_ws_origins = ["https://app.example.com"]17 18[security.cors]19allowed_origins = ["https://app.example.com", "https://admin.example.com"]20allow_credentials = true

High-Risk Misconfigurations To Avoid

• Wildcard browser origins in production
• Disabled rate-limit middleware in public deployments
• Short/static JWT secrets shared across environments
• Leaving remote setup enabled permanently
• Exposing cluster RPC ports publicly

Incident Response Priorities

1. Rotate compromised JWT secrets/certificates
2. Disable compromised users/service accounts
3. Tighten ingress and rate limits during active abuse
4. Preserve logs for forensic review

Related Docs

• Production Checklist
• Authentication Providers
• Token Auth
• Auto-Provisioning Users
• Firebase
• Rate Limiting
• Advanced Configuration
• OIDC & Issuer Trust
• Keycloak
• OpenTelemetry (OTEL)