Looking for Cloud Services or Professional Support? Check restheart.com

Default Configuration


This page presents the RESTHeart default configuration splitting it in different sections.

The default configuration applies when RESTHeart is started without specifying a configuration file:

$ java -jar restheart.jar

The default configuration template can be printed out with the following command:

$ java -jar restheart.jar -t
The default configuration is fine most of the times. You just want to change few options and the suggested way is using the default configuration with the needed overrides. See modify the configuration with overrides

Standalone configuration

The default configuration enables several plugins that require MongoDB. If you are using RESTHeart without MongoDB an alternative default configuration can be used with the -s option, where s stands for standalone.

standalone configuration is available from RESTHeart v7.2

This configuration enables the fileRealmAuthenticator and the fileAclAuthorizer and disables the MongoDB data APIs.

It defines the user admin but the password must be set overriding the configuration. The following command sets the password of the admin user as secret using the RHO environment variable:

$ RHO="/fileRealmAuthenticator/users[userid='admin']/password->'secret'" java -jar core/target/restheart.jar -s


# RESTHeart Configuration File.
## See https://restheart.org/docs/setup/#configuration-files

# HTTP Listener
# WARNING: Using the http listener is not secure.
  enabled: true
  host: localhost
  port: 8080

# HTTPS Listener
  enabled: false
  host: localhost
  port: 4443
  # The https listener requires setting up a TLS certificate.
  # See https://restheart.org/docs/security/tls/
  keystore-path: null
  keystore-password: null
  certificate-password: null

# AJP Listener
  enabled: false
  host: localhost
  port: 8009

Authentication Mechanisms

# Auth Token Authentication
# The verified token is generated by the enabled token manager
# see https://restheart.org/docs/security/authentication#token-authentication
  enabled: true

# Basic Authentication
# see https://restheart.org/docs/security/authentication#basic-authentication
  enabled: true
  authenticator: mongoRealmAuthenticator

# JSON Web Token Authentication
# see https://restheart.org/docs/security/authentication#jwt-authentication
  enabled: false
  algorithm: HS256
  key: secret
  base64Encoded: false
  usernameClaim: sub
  rolesClaim: null
  #  - jwt-role
  issuer: myIssuer
  audience: myAudience

# Digest Authentication
# see https://restheart.org/docs/security/authentication#digest-authentication
  # digest authentication is disabled by default
  # because it requires the passwords to be stored in plaintext
  # and mongoRealmAuthenticator hashes the passwords by default (bcrypt-hashed-password: true)
  enabled: false
  realm: RESTHeart Realm
  domain: localhost
  authenticator: mongoRealmAuthenticator

# For development purposes. Always authenticate the request with the given user
# see https://restheart.org/docs/security/authentication#identity-authentication
  enabled: false
  username: admin
    - admin
    - user


# fileRealmAuthenticator defines users credentials and roles in a simple yml file.
# see https://restheart.org/docs/security/authentication#file-realm-authenticator
  enabled: false
  conf-file: ./users.yml

# mongoRealAuthenticator authenticates users defined in a MongoDB collection.
# see https://restheart.org/docs/security/authentication#mongo-realm-authenticator
  enabled: true
  users-db: restheart
  users-collection: users
  prop-id: _id
  prop-password: password
  json-path-roles: $.roles
  bcrypt-hashed-password: true
  bcrypt-complexity: 12
  enforce-minimum-password-strenght: false
  # Integer from 0 to 4
  # 0 Weak        (guesses < 3^10)
  # 1 Fair        (guesses < 6^10)
  # 2 Good        (guesses < 8^10)
  # 3 Strong      (guesses < 10^10)
  # 4 Very strong (guesses >= 10^10)
  minimum-password-strength: 3
  create-user: true
  create-user-document: '{"_id": "admin", "password": "$2a$12$lZiMMNJ6pkyg4uq/I1cF5uxzUbU25aXHtg7W7sD2ED7DG1wzUoo6u", "roles": ["admin"]}'
  # create-user-document.password must be hashed when bcrypt-hashed-password=true
  # default password is 'secret'
  # see https://bcrypt-generator.com but replace initial '$2y' with '$2a'
  cache-enabled: false
  cache-size: 1000
  cache-ttl: 60000
  cache-expire-policy: AFTER_WRITE


# fileAclAuthorizer authorizes requests according to the Access Control List  defined in a YAML file.
# see https://restheart.org/docs/security/authorization#file-acl-authorizer
  enabled: false
  conf-file: ./acl.yml

# mongoAclAuthorizer authorizes requests according to the Access Control List defined in a MongoDB collection.
# see https://restheart.org/docs/security/authorization#mongo-acl-authorizer
  enabled: true
  acl-db: restheart
  acl-collection: acl
  # clients with root-role can execute any request
  root-role: admin
  cache-enabled: true
  cache-size: 1000
  cache-ttl: 5000
  cache-expire-policy: AFTER_WRITE

# originVetoer protects from CSRF attacks by forbidding requests whose Origin header is not whitelisted
# see https://restheart.org/docs/security/authorization#originvetoer
  enabled: false
    - https://restheart.org
    - http://localhost
  # optional list of paths for whose the Origin header
  # is not checked. values can be absolute paths
  # or patterns like /{var}/path/to/resource/*
  # ignore-paths:
  #   - /{tenant}/bucket.files/{id}/binary
  #   - /coll/docid

# fullAuthorizer authorizes all requests
  enabled: false
  authentication-required: true

Token Managers

# Token Manager
# see https://restheart.org/docs/security/authentication#token-managers

 # If a token-manager is configured, RESTHeart will use it to generate
 # and verify auth tokens.
 # If more than one token-manager are defined, the first one will be used
 # The token is returned to the caller via auth-token header when the user
 # autheticates successfully. The token can be used by Authentication Mechanisms.

# rndTokenService generates auth tokens using a random number generator.
  enabled: true
  ttl: 15
  srv-uri: /tokens

# jwtTokenManager generates JWT auth tokens.
# Use this in clustered deployments, since all nodes sharing the key
# can verify the token independently
  enabled: false
  key: secret
  ttl: 15
  srv-uri: /tokens
  issuer: restheart.org

Mongo Client Provider

# Provider the MongoClient via @Inject('mclient') and @Inject('mclient-reactive')
  # see https://docs.mongodb.com/manual/reference/connection-string/
  connection-string:  mongodb://

MongoService: MongoDB REST and Websocket API

# MongoDB REST and Websocket API
# see https://restheart.org/docs/tutorial
  enabled: true
  uri: /

  # Use mongo-mounts to expose MongoDb resources binding them to API URIs.
  # The parameter 'what' identifies the MongoDb resource to expose.
  # The format is /db[/coll[/docid]]
  # Use the wildcard '*' to expose all dbs.
  # The parameter 'where' defines the URI to bind the resource to.
  # It can be an absolute path (eg. /api) or path template (eg. /{foo}/bar/*).
  # The values of the path templates properties are available:
  # - in the 'what' property (e.g. what: /{foo}_db/coll)
  # - programmatically from MongoRequest.getPathTemplateParamenters() method.
  # It is not possible to mix absolute paths and path templates: 'where' URIs
  # need to be either all absolute paths or all path templates.
  # Examples:
  # The following exposes all MongoDb resources.
  # In this case the URI of a document is /db/coll/docid
  #   - what: "*"
  #     where: /
  # The following binds the URI /database to the db 'db'
  # In this case the URI of a document is /database/coll/docid
  #   - what: /db
  #     where: /database
  # The following binds the URI /api to the collection 'db.coll'
  # In this case the URI of a document is /api/docid
  #   - what: /db/coll
  #     where: /api
    - what: /restheart
      where: /

  # Default representation format https://restheart.org/docs/mongodb-rest/representation-format/#other-representation-formats
  default-representation-format: STANDARD

  # Default etag check policy https://restheart.org/docs/mongodb-rest/etag/#etag-policy
    doc: OPTIONAL

  # get collection cache speedups GET /coll?cache requests
  get-collection-cache-size: 100
  get-collection-cache-ttl: 10_000 # Time To Live, default 10 seconds
  get-collection-cache-docs: 1000 # number of documents to cache for each request

  # Check if aggregation variables use operators. https://restheart.org/docs/mongodb-rest/aggregations/#security-considerations
  aggregation-check-operators: true

  # default-pagesize is the number of documents returned when the pagesize query
  # parameter is not specified
  # see https://restheart.org/docs/read-docs#paging
  default-pagesize: 100

  # max-pagesize sets the maximum allowed value of the pagesize query parameter
  # generally, the greater the pagesize, the more json serializan overhead occurs
  # the rule of thumb is not exeeding 1000
  max-pagesize: 1000

  # local-cache allows to cache the db and collection properties to drammatically
  # improve performaces. Without caching, a GET on a document would requires
  # two additional queries to retrieve the db and the collection properties.
  # Pay attention to local caching only in case of multi-node deployments (horizontal scalability).
  # In this case a change in a db or collection properties would reflect on other
  # nodes at worst after TTL milliseconds (cache entries time to live).
  # In most of the cases Dbs and collections properties only change at development time.
  local-cache-enabled: true
  # TTL in milliseconds; specify a value < 0 to never expire cached entries
  local-cache-ttl: 60000

  # cache for JSON Schemas
  schema-cache-enabled: true
  # TTL in milliseconds; specify a value < 0 to never expire cached entries
  schema-cache-ttl: 60000

  # Time limit in milliseconds for processing queries on the server (without network latency). 0 means no time limit
  query-time-limit: 0
  # Time limit in milliseconds for processing aggregations on the server (without network latency). 0 means no time limit
  aggregation-time-limit: 0

  # see https://restheart.org/docs/mongodb-rest/monitoring
  # OFF => no gathering, ROOT => gathering at root level, DATABASE => at db level, COLLECTION => at collection level
  metrics-gathering-level: "OFF"

MongoDB GraphQL Service

# MongoDB GraphQL API
# see https://restheart.org/docs/mongodb-graphql/
  uri: /graphql
  db: restheart
  collection: gql-apps
  # default-limit is used for queries that don't not specify a limit
  default-limit: 100
  # max-limit is the maximum value for a Query limit
  max-limit: 1000
  verbose: false

Proxied resources

# Proxied resources - expose exrernal API with RESTHeart acting as a reverese proxy
# see https://restheart.org/docs/proxy
# options:#
#  - location (required) The location URI to bound to the HTTP proxied server.
#  - proxy-pass (required) The URL of the HTTP proxied server. It can be an array of URLs for load balancing.
#  - name (optional) The name of the proxy. It is required to identify 'restheart'.
#  - rewrite-host-header (optional, default true) should the HOST header be rewritten to use the target host of the call.
#  - connections-per-thread (optional, default 10) Controls the number of connections to create per thread.
#  - soft-max-connections-per-thread (optional, default 5) Controls the number of connections to create per thread.
#  - max-queue-size (optional, default 0) Controls the number of connections to create per thread.
#  - connections-ttl (optional, default -1) Connections Time to Live in seconds.
#  - problem-server-retry (optional, default 10) Time in seconds between retries for problem server.
#   - location: /anything
#     proxy-pass: https://httpbin.org/anything
#     name: anything

Static Web Resources

# Static Web Resources - serve static files with RESTHeart acting a web server
# see https://restheart.org/docs/static-resources
#  - what: /path/to/resources
#    where: /static
#    welcome-file: index.html
#    embedded: false

Other services

# Service to GET and DELETE (invalidate) the user auth token generated by the TokenManager
  uri: /tokens

# Simple ping service
  enabled: true
  msg: Greetings from RESTHeart!

# Returns the roles of the authenticated user
  uri: /roles

# a global blacklist for mongodb operators in filter query parameter
  blacklist: [ "$where" ]
  enabled: true

# bruteForceAttackGuard defends from brute force password cracking attacks
# by returning `429 Too Many Requests` when more than
# `max-failed-attempts` requests with wrong credentials
# are received in last 10 seconds from the same ip
  enabled: false
  # max number of failed attempts in 10 seconds sliding window
  # before returning 429 Too Many Requests
  max-failed-attempts: 5
  # if true, the source ip is obtained from X-Forwarded-For header
  # this requires that header beeing set by the proxy, dangerous otherwise
  trust-x-forwarded-for: false
  # when X-Forwarded-For has multiple values,
  # take into account the n-th from last element
  # e.g. with [x.x.x.x, y.y.y.y., z.z.z.z, k.k.k.k]
  # 0 -> k.k.k.k
  # 2 -> y.y.y.y
  x-forwarded-for-value-from-last-element: 0


# Logging
# see https://restheart.org/docs/logging
# Options:
# - log-level: to set the log level. Value can be OFF, ERROR, WARN, INFO, DEBUG, TRACE and ALL. (default value is INFO)
# - log-to-console: true => log messages to the console (default value: true)
# - ansi-console: use Ansi console for logging. Default to 'true' if parameter missing, for backward compatibility
# - log-to-file: true => log messages to a file (default value: false)
# - log-file-path: to specify the log file path (default value: restheart.log in system temporary directory)
# - packages: only messages form these packages are logged, e.g. [ "org.restheart", "com.restheart", "io.undertow", "org.mongodb" ]
# - requests-log-mode: 0 => no log, 1 => light log, 2 => detailed dump (use 2 only for development, it can log credentials)
# - tracing-headers (default, empty = no tracing): add tracing HTTP headers (Use with %X{header-name} in logback.xml); see https://restheart.org/docs/auditing

  log-level: INFO
  log-to-console: true
  ansi-console: true
  log-to-file: false
  log-file-path: restheart.log
  packages: [ "org.restheart", "com.restheart" ]
  requests-log-mode: 1
  #  - x-b3-traceid      # vv Zipkin headers, see https://github.com/openzipkin/b3-propagation
  #  - x-b3-spanid
  #  - x-b3-parentspanid
  #  - x-b3-sampled      # ^^
  #  - uber-trace-id     # jaeger header, see https://www.jaegertracing.io/docs/client-libraries/#trace-span-identity
  #  - traceparent       # vv opencensus.io headers, see https://github.com/w3c/distributed-tracing/blob/master/trace_context/HTTP_HEADER_FORMAT.md
  #  - tracestate        # ^^

Core module configuration

# base configuration for core module
  # The name of this instance. Displayed in log, also allows to implement instance specific custom code
  name: default

  # The directory containing the plugins jars.
  # The path is either absolute (starts with /) or relative to the restheart.jar file
  # Just add the plugins jar to plugins-directory and they will be automatically
  # added to the classpath and registered.
  plugins-directory: plugins

  # Optionally define the base url of this instance
  # Useful when RESTHeart is mediated by a reverse proxy or an API gateway to determine the instance's correct URL
  base-url: null

  # Number of I/O threads created for non-blocking tasks. Suggested value: core*8.
  # if <= 0, use the number of cores.
  io-threads: 0

  # Number of threads created for blocking tasks (such as ones involving db access). Suggested value: core*8
  # if < 0, use the number of cores * 8. With 0 working threads, blocking services won't work.
  worker-threads: -1

  # Limit for the maximum number of concurrent requests being served
  requests-limit: 1000

  # Use 16k buffers for best performance - as in linux 16k is generally the default amount of data that can be sent in a single write() call
  # Setting to 1024 * 16 - 20; the 20 is to allow some space for getProtocol headers, see UNDERTOW-1209
  buffer-size: 16364

  # Should the buffer pool use direct buffers, this instructs the JVM to use native (if possible) I/O operations on the buffers
  direct-buffers: true

  # In order to save bandwitdth, force requests to support the giz encoding (if not, requests will be rejected)
  force-gzip-encoding: false

   # true to allow unescaped characters in URL
  allow-unescaped-characters-in-url: true

Connection options

# Connection Options
  # Enable HTTP/2 support
  # Note: HTTP2 as implemented by major browsers requires the use of TLS
  # How to enable TLS https://restheart.org/docs/security/tls/
  # How to check HTTP/2 protocol https://stackoverflow.com/a/54164719/4481670
  ENABLE_HTTP2: true

  # The maximum size of a HTTP header block, in bytes.
  # If a client sends more data that this as part of the request header then the connection will be closed.
  # Defaults to 1Mbyte.
  MAX_HEADER_SIZE: 1048576

  # The default maximum size of a request entity.
  # Defaults to unlimited.

  #The default maximum size of the HTTP entity body when using the mutiltipart parser.
  # Generall this will be larger than MAX_ENTITY_SIZE
  # If this is not specified it will be the same as MAX_ENTITY_SIZE

  # The idle timeout in milliseconds after which the channel will be closed.
  # If the underlying channel already has a read or write timeout set
  # the smaller of the two values will be used for read/write timeouts.
  # Defaults to unlimited (-1).

  # The maximum allowed time of reading HTTP request in milliseconds.
  # -1 or missing value disables this functionality.

  # The amount of time the connection can be idle with no current requests
  # before it is closed;
  # Defaults to unlimited (-1).

  # The maximum number of query parameters that are permitted in a request.
  # If a client sends more than this number the connection will be closed.
  # This limit is necessary to protect against hash based denial of service attacks.
  # Defaults to 1000.

  # The maximum number of headers that are permitted in a request.
  # If a client sends more than this number the connection will be closed.
  # This limit is necessary to protect against hash based denial of service attacks.
  # Defaults to 200.

  # The maximum number of cookies that are permitted in a request.
  # If a client sends more than this number the connection will be closed.
  # This limit is necessary to protect against hash based denial of service attacks.
  # Defaults to 200.

  # The charset to use to decode the URL and query parameters.
  # Defaults to UTF-8.

  # If this is true then a Connection: keep-alive header will be added to responses,
  # even when it is not strictly required by the specification.
  # Defaults to true

  # If this is true then a Date header will be added to all responses.
  # The HTTP spec says this header should be added to all responses,
  # unless the server does not have an accurate clock.
  # Defaults to true