Skip to content

Commit 46b1bf8

Browse files
BraunMatthiasmatthia.braun@sap.comsjvansrenejeglinsky
authored
Production profile in security guide (#2064)
As a reaction to a security incident. Several customers activated the index page in production. --------- Co-authored-by: matthia.braun@sap.com <matthias@W-5CG3323MK3> Co-authored-by: sjvans <30337871+sjvans@users.noreply.github.com> Co-authored-by: René Jeglinsky <rene.jeglinsky@sap.com>
1 parent 1705c3e commit 46b1bf8

3 files changed

Lines changed: 23 additions & 1 deletion

File tree

guides/security/aspects.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -693,6 +693,23 @@ For instance, this is true for [authorizations](#secure-authorization) or applic
693693
It's recommended to ensure security settings by automated integration tests.
694694
:::
695695

696+
CAP provides some features that are suitable for development only such as
697+
- Index Page
698+
- Mock Users
699+
- Developer Dashboard (Java only)
700+
701+
These features are deactivated in the production profile by default.
702+
703+
::: warning
704+
**Do not manually enable features for production that are disabled by the production profile**, as this could introduce serious security vulnerabilities.
705+
:::
706+
707+
[Learn more about production profiles in Java](../../java/developing-applications/configuring#production-profile){.learn-more}
708+
[Learn more about production profiles in Node.js](../../node.js/cds-env#profiles){.learn-more}
709+
710+
711+
712+
696713

697714
### Fail Securely { #fail-securely }
698715
<!-- #SEC-239 -->

java/developing-applications/configuring.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,9 +39,14 @@ Property defaults adjusted with the production profile are the following:
3939

4040
- Index Page is disabled: `cds.index-page.enabled` is set to `false`
4141
- Mock Users are strictly disabled: `cds.security.mock.enabled` is set to `false`
42+
- Access for internal testing is disabled: `cds.security.authentication.internalUserAccess.enabled` is set to `false`
4243

4344
Note, that explicit configuration in the application takes precedence over property defaults from the production profile.
4445

46+
::: warning
47+
**Do not manually enable features for production that are disabled by the production profile**, as this could introduce serious security vulnerabilities.
48+
:::
49+
4550
## Using SAP Java Buildpack { #buildpack }
4651

4752
In SAP BTP Cloud Foundry environment, the Java runtime that is used to run your application is defined by the so-called [buildpack](https://docs.cloudfoundry.org/buildpacks/).

node.js/cds-server.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -261,7 +261,7 @@ The built-in CORS middleware can be enabled explicitly with <Config>cds.server.c
261261

262262
### Toggle Generic Index Page
263263

264-
The default generic _index.html_ page is not served if `NODE_ENV` is set to `production`. Set <Config>cds.server.index: true</Config> to restore the generic index page in production.
264+
The default generic _index.html_ page is not served if `NODE_ENV` is set to `production`. Set <Config>cds.server.index: true</Config> to activate explicitly also in production-like test environments, for example for deployed PoCs. You must not do this in real production environments!
265265

266266
[See the **Generic *index.html*** page in action.](../get-started/in-a-nutshell.md#generic-index-html) {.learn-more}
267267

0 commit comments

Comments
 (0)