Security

API tokens can be generated via the /api/v2/users/:uuid/token. These tokens should not be publicly exposed since they they are equivalent to user credentials. Tokens can be reset via the /api/v2/users/:uuid/reset_token endpoint. This will invalidate any previously generated API token.

The httpServer.serverTokens configuration flag or MESH_HTTP_SERVER_TOKENS environment variable can be used to control whether server version information gets exposed via REST (/api/v1, /api/v2), GraphQL or HTTP headers. By default server tokens are enabled.

Please note that server tokens are still visible to admin users even when httpServer.serverTokens is set to false.

Gentics Mesh can provide various internal services which each utilize dedicated ports. By default only the REST and GraphQL API on port 8080 will be exposed. The REST and GraphQL API is secured by the Gentics Mesh authentication mechanism.

The storage.startServer setting can be used to start the OrientDB server on port 2424 and 2480. This server will automatically be started if the cluster.enabled setting is enabled. It is advised to not expose this service.

The cluster.enabled setting will startup the OrientDB server as described above. Additionally the Vert.x eventbus, Elasticsearch clustering and Hazelcast service will be started. All these services will open dedicated ports which will bind to the network which can be configured via the cluster.networkHost setting.

The Elasticsearch server will automatically open port 9200. Keep in mind that this service should never be exposed publicly since it is not protected by any authentication mechanism.

User passwords are stored as bcrypt hashes.

Please do not post security issues to our GitHub issues page. Instead we encourage you to submit security issues to us via support@gentics.com

Publicly disclosing a vulnerability can put the entire community which makes use of Gentics Mesh at risk.

Your disclosure should include: