This section will cover information about Gentics Mesh security related topics.

API Tokens

API tokens can be generated via the /api/v2/users/:uuid/token. These tokens should not be publicly exposed since they they are equivalent to user credentials. Tokens can be reset via the /api/v2/users/:uuid/reset_token endpoint. This will invalidate any previously generated API token.

Server Tokens

The httpServer.serverTokens configuration flag or MESH_HTTP_SERVER_TOKENS environment variable can be used to control whether server version information gets exposed via REST (/api/v1, /api/v2), GraphQL or HTTP headers. By default server tokens are enabled.

Please note that server tokens are still visible to admin users even when httpServer.serverTokens is set to false.

Network Security

Gentics Mesh can provide various internal services which each utilize dedicated ports. By default only the REST and GraphQL API on port 8080 will be exposed. The REST and GraphQL API is secured by the Gentics Mesh authentication mechanism.

Exposing this service would allow anyone to modify, read and delete any of the data within the search index. User passwords are not stored within this index.
Search queries can be submitted via the /api/v2/:project/search/:type endpoints. These endpoints are secured by Gentics Mesh.
The following sections are irrelevant, if SQL RDBMS storage premium feature is used. Please refer to the feature documentation instead.

The storage.startServer setting can be used to start the OrientDB server on port 2424 and 2480. This server will automatically be started if the cluster.enabled setting is enabled. It is advised to not expose this service.

The cluster.enabled setting will startup the OrientDB server as described above. Additionally the Vert.x eventbus, Elasticsearch clustering and Hazelcast service will be started. All these services will open dedicated ports which will bind to the network which can be configured via the cluster.networkHost setting.

Do not expose the service ports which are listed in the clustering documentation to the internet.


The Elasticsearch server will automatically open port 9200. Keep in mind that this service should never be exposed publicly since it is not protected by any authentication mechanism.

Database Security

User passwords are stored as bcrypt hashes.

Vulnerability Disclosure Policy

Please do not post security issues to our GitHub issues page. Instead we encourage you to submit security issues to us via

Publicly disclosing a vulnerability can put the entire community which makes use of Gentics Mesh at risk.

Your disclosure should include:

  • A description of the issues

  • A list of steps which can be followed to reproduce the issue