Edit Page

Default Configuration

Introduction

This page presents the RESTHeart default configuration splitting it in different sections.

The default configuration applies when RESTHeart is started without specifying a configuration file:

$ java -jar restheart.jar

The default configuration template can be printed out with the following command:

$ java -jar restheart.jar -t
Note
The default configuration is fine most of the times. You just want to change few options and the suggested way is using the default configuration with the needed overrides. See modify the configuration with overrides

Standalone configuration

The default configuration enables several plugins that require MongoDB. If you are using RESTHeart without MongoDB an alternative default configuration can be used with the -s option, where s stands for standalone.

This configuration enables the fileRealmAuthenticator and the fileAclAuthorizer and disables the MongoDB data APIs.

It defines the user admin but the password must be set overriding the configuration. The following command sets the password of the admin user as secret using the RHO environment variable:

$ RHO="/fileRealmAuthenticator/users[userid='admin']/password->'secret'" java -jar core/target/restheart.jar -s

Listeners

# RESTHeart Configuration File.
## See https://restheart.org/docs/setup/#configuration-files

---
# HTTP Listener
# WARNING: Using the http listener is not secure.
http-listener:
  enabled: true
  host: localhost
  port: 8080

# HTTPS Listener
https-listener:
  enabled: false
  host: localhost
  port: 4443
  # The https listener requires setting up a TLS certificate.
  # See https://restheart.org/docs/security/tls/
  keystore-path: null
  keystore-password: null
  certificate-password: null

# AJP Listener
ajp-listener:
  enabled: false
  host: localhost
  port: 8009

Authentication Mechanisms

# Auth Token Authentication
# The verified token is generated by the enabled token manager
# See https://restheart.org/docs/security/authentication#token-authentication
tokenBasicAuthMechanism:
  enabled: true

# Basic Authentication
# See https://restheart.org/docs/security/authentication#basic-authentication
basicAuthMechanism:
  enabled: true
  authenticator: mongoRealmAuthenticator

# JSON Web Token Authentication
# See https://restheart.org/docs/security/authentication#jwt-authentication
jwtAuthenticationMechanism:
  enabled: false
  algorithm: HS256
  key: secret
  base64Encoded: false
  usernameClaim: sub
  rolesClaim: roles
  fixedRoles: []
  #  - jwt-role
  issuer: restheart.org
  audience: null

# Digest Authentication
# See https://restheart.org/docs/security/authentication#digest-authentication
digestAuthMechanism:
  # Disabled by default: requires plaintext passwords but mongoRealmAuthenticator uses bcrypt hashing
  enabled: false
  realm: RESTHeart Realm
  domain: localhost
  authenticator: mongoRealmAuthenticator

# For development purposes. Always authenticate the request with the given user
# See https://restheart.org/docs/security/authentication#identity-authentication
identityAuthMechanism:
  enabled: false
  username: admin
  roles:
    - admind
    - user

Authenticators

# fileRealmAuthenticator defines user credentials and roles inline or in a simple YAML con-file.
# See https://restheart.org/docs/security/authentication#file-realm-authenticator
fileRealmAuthenticator:
  enabled: false
  #conf-file: ./users.yml
  users:
    - userid: admin
      password: null
      roles: [admin]

# mongoRealmAuthenticator authenticates users defined in a MongoDB collection.
# See https://restheart.org/docs/security/authentication#mongo-realm-authenticator
mongoRealmAuthenticator:
  enabled: true
  users-db: restheart
  users-collection: users
  prop-id: _id
  prop-password: password
  json-path-roles: $.roles
  bcrypt-hashed-password: true
  bcrypt-complexity: 12
  # When true, API requests to create or update accounts will return HTTP 400
  # (Bad Request) if the provided password fails strength validation
  enforce-minimum-password-strength: false
  # Password strength levels: 0=Weak, 1=Fair, 2=Good, 3=Strong, 4=Very Strong
  minimum-password-strength: 3
  # When enabled, creates a default admin user at RestHeart startup if no admin user exists
  create-user: true
  # Defines the user document structure for the default admin user created at startup.
  # Password must be bcrypt-hashed when bcrypt-hashed-password=true
  # Default password is 'secret' (hashed below)
  # See https://bcrypt-generator.com for generating bcrypt hashes
  create-user-document: '{"_id": "admin", "password": "$2a$12$lZiMMNJ6pkyg4uq/I1cF5uxzUbU25aXHtg7W7sD2ED7DG1wzUoo6u", "roles": ["admin"]}'
  cache-enabled: false
  cache-size: 1_000
  cache-ttl: 60_000 # in milliseconds
  cache-expire-policy: AFTER_WRITE

# Cookie Authentication
# see: https://restheart.org/docs/security/authentication#cookie-authentication

# Sets auth cookie on successful authentication when '?set-auth-cookie' is present
# Compatible with both rndTokenManager and jwtTokenManager
authCookieSetter:
  enabled: false          # Not enabled by default
  name: rh_auth           # The name of the cookie to be set
  domain: localhost       # The domain within which the cookie is valid.
  path: /                 # The cookie path, applicable to the entire domain.
  http-only: true         # If true enhances security by making the cookie inaccessible to JavaScript.
  same-site: true         # Restricts the cookie to first-party contexts, preventing CSRF attacks.
  same-site-mode: strict  # Strictly prevents the cookie from being sent along with cross-site requests.
  expires-ttl: 86_400     # Defines the duration in seconds for which the cookie is valid (default: 86400 seconds = 1 day). When using jwtTokenManager, this value should match the TTL configured at /jwtTokenManager/ttl.

# Creates Authorization header from auth cookie. Compatible with Basic and JWT auth.
authCookieHandler:
  enabled: false          # Not enabled by default

# Clears auth cookie on POST /logout, logging out the user
authCookieRemover:
  enabled: false          # Not enabled by default
  secure: false           # If request to clean the cookie should be authenticated
  defaultUri: /logout     # The endpoint that triggers this service.

Authorizers

# fileAclAuthorizer authorizes requests according to the Access Control List defined inline or in a YAML file.
# See https://restheart.org/docs/security/authorization#file-acl-authorizer
fileAclAuthorizer:
  enabled: false
  #conf-file: ./acl.yml
  permissions:
    - role: admin
      predicate: path-prefix('/')
      priority: 0

# mongoAclAuthorizer authorizes requests according to the Access Control List defined in a MongoDB collection.
# See https://restheart.org/docs/security/authorization#mongo-acl-authorizer
mongoAclAuthorizer:
  enabled: true
  acl-db: restheart
  acl-collection: acl
  # Clients with root-role can execute any request
  root-role: admin
  cache-enabled: true
  cache-size: 1_000
  cache-ttl: 5_000 # in milliseconds
  cache-expire-policy: AFTER_WRITE

# originVetoer protects from CSRF attacks by forbidding requests whose Origin header is not whitelisted
# See https://restheart.org/docs/security/authorization#originvetoer
originVetoer:
  enabled: false
  whitelist:
    - https://restheart.org
    - http://localhost
  # Optional paths to skip Origin header checks. Supports patterns like /{var}/path/*
  # ignore-paths:
  #   - /{tenant}/bucket.files/{id}/binary
  #   - /coll/docid

# fullAuthorizer authorizes all requests
fullAuthorizer:
  enabled: false
  authentication-required: true

Token Managers

# Token Manager
# See https://restheart.org/docs/security/authentication#token-managers

# Generates and verifies auth tokens. First configured manager is used.
# Token returned via auth-token header on successful authentication.

# rndTokenService generates auth tokens using a random number generator.
rndTokenManager:
  enabled: true
  ttl: 15 # in minutes
  srv-uri: /tokens

# jwtTokenManager generates JWT auth tokens.
# Use this in clustered deployments, since all nodes sharing the key
# can verify the token independently
jwtTokenManager:
  enabled: false
  key: secret
  ttl: 15 # in minutes
  srv-uri: /tokens
  issuer: restheart.org
  audience: null
  # additional JWT claims from accounts properties
  account-properties-claims:
  # - foo # property name
  # - /nested/property # xpath expr for nested properties

Mongo Client Provider

# Provider the MongoClient via @Inject('mclient')
mclient:
  # See https://docs.mongodb.com/manual/reference/connection-string/
  connection-string: mongodb://127.0.0.1

MongoService: MongoDB REST and Websocket API

# MongoDB REST and Websocket API
# See https://restheart.org/docs/tutorial
mongo:
  enabled: true
  uri: /

  # Expose MongoDB resources at specific URIs.
  # 'what': MongoDB resource (/db[/coll[/docid]]) or '*' for all databases
  # 'where': URI binding (absolute path or template like /{foo}/bar/*)
  # Note: Cannot mix absolute paths and path templates in 'where' URIs
  #
  # Examples:
  # The following exposes all MongoDb resources.
  # In this case the URI of a document is /db/coll/docid
  #
  #   - what: "*"
  #     where: /
  #
  # The following binds the URI /database to the db 'db'
  # In this case the URI of a document is /database/coll/docid
  #
  #   - what: /db
  #     where: /database
  #
  # The following binds the URI /api to the collection 'db.coll'
  # In this case the URI of a document is /api/docid
  #
  #   - what: /db/coll
  #     where: /api
  mongo-mounts:
    - what: /restheart
      where: /

  # Default representation format https://restheart.org/docs/mongodb-rest/representation-format/#other-representation-formats
  default-representation-format: STANDARD

  # Default etag check policy https://restheart.org/docs/mongodb-rest/etag/#etag-policy
  etag-check-policy:
    db: REQUIRED_FOR_DELETE
    coll: REQUIRED_FOR_DELETE
    doc: OPTIONAL

  # get collection cache speedups GET /coll?cache requests
  get-collection-cache-enabled: true
  get-collection-cache-size: 100
  get-collection-cache-ttl: 10_000 # Time To Live, in milliseconds default 10 seconds
  get-collection-cache-docs: 1_000 # number of documents to cache for each request

  # Check if aggregation variables use operators. https://restheart.org/docs/mongodb-rest/aggregations/#security-considerations
  aggregation-check-operators: true

  # default-pagesize is the number of documents returned when the pagesize query
  # parameter is not specified
  # See https://restheart.org/docs/read-docs#paging
  default-pagesize: 100

  # max-pagesize sets the maximum allowed value of the pagesize query parameter
  # Generally, the greater the pagesize, the more json serialization overhead occurs
  # The rule of thumb is not exceeding 1000
  max-pagesize: 1_000

  # Caches db/collection properties for better performance, avoiding 2 extra queries per document GET.
  # In multi-node deployments, property changes may take up to TTL milliseconds to sync across nodes.
  # Database and collection properties typically change only during development.
  local-cache-enabled: true
  # TTL in milliseconds; specify a value < 0 to never expire cached entries
  local-cache-ttl: 60_000 # in milliseconds

  # cache for JSON Schemas
  schema-cache-enabled: true
  # TTL in milliseconds; specify a value < 0 to never expire cached entries
  schema-cache-ttl: 60_000 # in milliseconds

  # The time limit in milliseconds for processing queries. Set to 0 for no time limit.
  query-time-limit: 0 # in milliseconds
  # The time limit in milliseconds for processing aggregations. Set to 0 for no time limit.
  aggregation-time-limit: 0 # in milliseconds

MongoDB GraphQL Service

# MongoDB GraphQL API
# See https://restheart.org/docs/mongodb-graphql/
graphql:
  uri: /graphql
  db: restheart
  collection: gql-apps
  # app cache can be disabled if needed, such as during testing or development
  app-cache-enabled: true
  # app cache entries are automatically revalidated every TTR milliseconds
  app-cache-ttr: 60_000 # in milliseconds
  # default-limit is used for queries that don't specify a limit
  default-limit: 100
  # max-limit is the maximum value for a Query limit
  max-limit: 1_000
  # The time limit in milliseconds for processing queries. Set to 0 for no time limit.
  query-time-limit: 0 # in milliseconds
  verbose: false

# Automatically creates indexes on {"descriptor.uri":1} and {"descriptor.name":1}
# for GraphQL applications to improve query performance when fetching app definitions
# at scale. Enable if you have many GraphQL applications.
createIndexesOnGqlApps:
  enabled: false
Note
app-cache-enabled and app-cache-ttr are available from v8.0.9 and v8.0.11, respectively. Earlier versions use an expiring cache policy with TTL configurable via the now-deprecated graphql/app-def-cache-ttl option. See issue #523.

Proxied resources

# Proxied resources - expose external APIs with RESTHeart acting as a reverse proxy
# See https://restheart.org/docs/proxy
# options:#
#  - location (required) The location URI to bound to the HTTP proxied server.
#  - proxy-pass (required) The URL of the HTTP proxied server. It can be an array of URLs for load balancing.
#  - name (optional) The name of the proxy. It is required to identify 'restheart'.
#  - rewrite-host-header (optional, default true) should the HOST header be rewritten to use the target host of the call.
#  - connections-per-thread (optional, default 10) Controls the number of connections to create per thread.
#  - soft-max-connections-per-thread (optional, default 5) Controls the number of connections to create per thread.
#  - max-queue-size (optional, default 0) Controls the number of connections to create per thread.
#  - connections-ttl (optional, default -1) Connections Time to Live in seconds.
#  - problem-server-retry (optional, default 10) Time in seconds between retries for problem server.
proxies:
#   - location: /anything
#     proxy-pass: https://httpbin.org/anything
#     name: anything

Static Web Resources

# Static Web Resources - serve static files with RESTHeart acting a web server
# See https://restheart.org/docs/static-resources
static-resources:
#  - what: /path/to/resources
#    where: /static
#    welcome-file: index.html
#    embedded: false

Other services

# Service to GET and DELETE (invalidate) the user auth token generated by the TokenManager
authTokenService:
  uri: /tokens

# Simple ping service
# Must respond with HTTP 200 OK
# If enable-extended-response is true, returns the following JSON response
# {
#    "client_ip": "<caller ip>",
#    "host": "<hostname>",
#    "message": "Greetings from RESTHeart!",
#    "version": "<RESTHeart version>"
# }
ping:
  enabled: true
  msg: Greetings from RESTHeart!
  enable-extended-response: true

# Returns the roles of the authenticated user
roles:
  uri: /roles

# A global blacklist for mongodb operators in filter query parameter
filterOperatorsBlacklist:
  blacklist: [ "$where" ]
  enabled: true

# bruteForceAttackGuard defends from brute force password cracking attacks
# by returning `429 Too Many Requests` when more than
# `max-failed-attempts` requests with wrong credentials
# are received in last 10 seconds from the same ip
bruteForceAttackGuard:
  enabled: false
  # Max number of failed attempts in 10 seconds sliding window
  # before returning 429 Too Many Requests
  max-failed-attempts: 5
  # If true, the source ip is obtained from X-Forwarded-For header
  # this requires that header being set by the proxy, dangerous otherwise
  trust-x-forwarded-for: false
  # When X-Forwarded-For has multiple values,
  # take into account the n-th from last element
  # e.g. with [x.x.x.x, y.y.y.y., z.z.z.z, k.k.k.k]
  # 0 -> k.k.k.k
  # 2 -> y.y.y.y
  x-forwarded-for-value-from-last-element: 0

# Sets the X-Powered-By: restheart.org response header
xPoweredBy:
  enabled: true

# Sets the Date response header
dateHeader:
  enabled: true

Logging

# Logging
# See https://restheart.org/docs/logging
# Options:
# - log-level: to set the log level. Value can be OFF, ERROR, WARN, INFO, DEBUG, TRACE and ALL. (default value is INFO)
# - log-to-console: true => log messages to the console (default value: true)
# - ansi-console: use Ansi console for logging. Default to 'true' if parameter missing, for backward compatibility
# - log-to-file: true => log messages to a file (default value: false)
# - log-file-path: to specify the log file path (default value: restheart.log in system temporary directory)
# - packages: only messages form these packages are logged, e.g. [ "org.restheart", "com.restheart", "io.undertow", "org.mongodb" ]
# - full-stacktrace: true to log the full stacktrace of exceptions
# - requests-log-mode: 0 => no log, 1 => light log, 2 => detailed dump (use 2 only for development, it can log credentials)
# - tracing-headers (default, empty = no tracing): add tracing HTTP headers (Use with %X{header-name} in logback.xml); see https://restheart.org/docs/auditing

logging:
  log-level: INFO
  log-to-console: true
  ansi-console: true
  log-to-file: false
  log-file-path: restheart.log
  packages: [ "org.restheart", "com.restheart" ]
  full-stacktrace: false
  requests-log-mode: 1
  tracing-headers:
  #  - x-b3-traceid      # vv Zipkin headers, see https://github.com/openzipkin/b3-propagation
  #  - x-b3-spanid
  #  - x-b3-parentspanid
  #  - x-b3-sampled      # ^^
  #  - uber-trace-id     # jaeger header, see https://www.jaegertracing.io/docs/client-libraries/#trace-span-identity
  #  - traceparent       # vv opencensus.io headers, see https://github.com/w3c/distributed-tracing/blob/master/trace_context/HTTP_HEADER_FORMAT.md
  #  - tracestate        # ^^

Metrics

# Metrics see https://restheart.org/docs/metrics

metrics:
  enabled: true
  uri: /metrics

requestsMetricsCollector:
  enabled: false
  include: [ "/*" ]
  exclude: [ "/metrics", "/metrics/*" ]

jvmMetricsCollector:
  enabled: false

Core module configuration

# Base configuration for core module
core:
  # The name of this instance. Displayed in log, also allows to implement instance specific custom code
  name: default

  # The directory containing the plugins jars.
  # The path is either absolute (starts with /) or relative to the restheart.jar file
  # Just add the plugins jar to plugins-directory and they will be automatically
  # added to the classpath and registered.
  plugins-directory: plugins

  # Limit the scanning of classes annotated with @RegisterPlugin
  # to the specified packages. It can speedup the boot time
  # in case of huge plugin jars. It is usually not required.
  # Use an empty array to not limit scanning.
  # Always add the package org.restheart to the list
  plugins-packages: []

  # Set to true for verbose logging of jar scanning for plugins
  plugins-scanning-verbose: false

  # Optionally define the base url of this instance
  # Useful when RESTHeart is mediated by a reverse proxy or an API gateway to determine the instance's correct URL
  base-url: null

  # Number of I/O threads created for non-blocking tasks. Suggested value: core.
  # If <= 0, use the number of cores.
  io-threads: 0

  # Initial number of platform carrier threads for executing worker virtual threads in blocking operations.
  # Suggested value: 1.5*core.
  # If <= 0, use 1.5 times the number of cores.
  workers-scheduler-parallelism: 0

  # Max number of platform carrier threads for executing worker virtual threads in blocking operations.
  workers-scheduler-max-pool-size: 256

  # Set to true to pool buffers for io-threads. buffers pooling is always disabled for virtual worker threads.
  buffers-pooling: true

  # Use 16k buffers for best performance - as in linux 16k is generally the default amount of data that can be sent in a single write() call
  # Setting to 1024 * 16 - 20; the 20 is to allow some space for getProtocol headers, see UNDERTOW-1209
  buffer-size: 16364

  # Specifies whether the buffer pool for I/O threads should use direct buffers.
  # Direct buffers enable the JVM to leverage native I/O operations if supported by the system.
  # Virtual working threads always use heap buffers because they are faster for their operations.
  direct-buffers: true

  # In order to save bandwidth, force requests to support the giz encoding (if not, requests will be rejected)
  force-gzip-encoding: false

  # true to allow unescaped characters in URL
  allow-unescaped-characters-in-url: true

Connection options

# Connection Options
connection-options:
  # Enable HTTP/2 support
  # Note: HTTP2 as implemented by major browsers requires the use of TLS
  # How to enable TLS https://restheart.org/docs/security/tls/
  # How to check HTTP/2 protocol https://stackoverflow.com/a/54164719/4481670
  ENABLE_HTTP2: true

  # The maximum size of a HTTP header block, in bytes.
  # If a client sends more data that this as part of the request header then the connection will be closed.
  # Defaults to 1Mbyte.
  MAX_HEADER_SIZE: 1048576

  # The default maximum size of a request entity.
  # Defaults to unlimited.
  MAX_ENTITY_SIZE: -1

  #The default maximum size of the HTTP entity body when using the mutiltipart parser.
  # Generally this will be larger than MAX_ENTITY_SIZE
  # If this is not specified it will be the same as MAX_ENTITY_SIZE
  MULTIPART_MAX_ENTITY_SIZE: -1

  # The idle timeout in milliseconds after which the channel will be closed.
  # If the underlying channel already has a read or write timeout set
  # The smaller of the two values will be used for read/write timeouts.
  # Defaults to unlimited (-1).
  IDLE_TIMEOUT: -1

  # The maximum allowed time of reading HTTP request in milliseconds.
  # -1 or missing value disables this functionality.
  REQUEST_PARSE_TIMEOUT: -1

  # The amount of time the connection can be idle with no current requests
  # before it is closed;
  # Defaults to unlimited (-1).
  NO_REQUEST_TIMEOUT: -1

  # The maximum number of query parameters that are permitted in a request.
  # If a client sends more than this number the connection will be closed.
  # This limit is necessary to protect against hash based denial of service attacks.
  # Defaults to 1000.
  MAX_PARAMETERS: 1_000

  # The maximum number of headers that are permitted in a request.
  # If a client sends more than this number the connection will be closed.
  # This limit is necessary to protect against hash based denial of service attacks.
  # Defaults to 200.
  MAX_HEADERS: 200

  # The maximum number of cookies that are permitted in a request.
  # If a client sends more than this number the connection will be closed.
  # This limit is necessary to protect against hash based denial of service attacks.
  # Defaults to 200.
  MAX_COOKIES: 200

  # The charset to use to decode the URL and query parameters.
  # Defaults to UTF-8.
  URL_CHARSET: UTF-8

  # If this is true then a Connection: keep-alive header will be added to responses,
  # even when it is not strictly required by the specification.
  # Defaults to true
  ALWAYS_SET_KEEP_ALIVE: true