Security
This chapter is for operators deploying KalamDB in staging/production.
Security Baseline Checklist
- Serve API behind HTTPS (TLS at edge proxy/load balancer).
- Set strong
auth.jwt_secretand keep it out of source control. - Keep
auth.allow_remote_setup = falseafter initial bootstrap. - Restrict CORS and WebSocket origins to known domains.
- Keep rate limiting and request-size limits enabled.
- Restrict setup/health/admin-sensitive routes to trusted networks.
- For clusters, enable
cluster.rpc_tls(mTLS between nodes).
Baseline Config Example
[auth]jwt_secret = "replace-with-strong-random-secret-32-plus-chars"cookie_secure = trueallow_remote_setup = false [rate_limit]enable_connection_protection = truemax_auth_requests_per_ip_per_sec = 20max_requests_per_ip_per_sec = 200max_connections_per_ip = 100 [security]max_request_body_size = 10485760max_ws_message_size = 1048576strict_ws_origin_check = trueallowed_ws_origins = ["https://app.example.com"] [security.cors]allowed_origins = ["https://app.example.com", "https://admin.example.com"]allow_credentials = trueHigh-Risk Misconfigurations To Avoid
- Wildcard browser origins in production
- Disabled rate-limit middleware in public deployments
- Short/static JWT secrets shared across environments
- Leaving remote setup enabled permanently
- Exposing cluster RPC ports publicly
Incident Response Priorities
- Rotate compromised JWT secrets/certificates
- Disable compromised users/service accounts
- Tighten ingress and rate limits during active abuse
- Preserve logs for forensic review
Related Docs
Last updated on