Spring Boot Misconfiguration: H2 console enabled
Description
The H2 database console is a web-based administrative interface that provides direct access to H2 databases. This console is designed for development and debugging purposes only and should never be enabled in production environments. Analysis has identified that the H2 console is currently accessible on this Spring Boot application, exposing database management functionality to potential unauthorized access.
Remediation
Disable the H2 console immediately in all production and staging environments. Follow these steps to remediate:
1. Disable H2 Console in Configuration:
Add or modify the following property in your application.properties file:
spring.h2.console.enabled=false
Alternatively, in application.yml:
spring:
h2:
console:
enabled: false2. Verify the Change:
Restart the application and confirm that the H2 console is no longer accessible at /h2-console or any configured path.
3. Environment-Specific Configuration:
If you need the console enabled for local development, use profile-specific configuration files (e.g., application-dev.properties) and ensure production profiles explicitly disable it.
4. Review Access Controls:
If the console must remain enabled in non-production environments, implement strong authentication, restrict access by IP address, and use complex credentials.