spetz opened a new pull request, #2974: URL: https://github.com/apache/iggy/pull/2974
Deploying the HTTP server with hardcoded default JWT secrets is a security risk — every instance shares the same signing key. Empty defaults now trigger secure random secret generation at startup, with a warning logged showing a redacted preview of the generated value. When both encoding and decoding secrets are empty, a single random secret is generated and used for both (symmetric HMAC). Tokens are invalidated on restart, nudging operators to set persistent secrets in production. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
