Document security risks of DevTools' remote support more clearly

Previously, the security risks and our recommendations on how to mitigate them were not documented as clearly as they could have been. This commit makes some changes to try to address this: 1. The security risk is now noted at the beginning of the section 2. The recommendation to use SSL is now documented more prominently and an alternative recommendation to only use remote support on a trusted network has been added. 3. The example secret has been removed to prevent copy and paste 4. A recommendation to use a secret that is unique and strong has been added Closes gh-18825

Document security risks of DevTools' remote support more clearly
Previously, the security risks and our recommendations on how to mitigate them were not documented as clearly as they could have been. This commit makes some changes to try to address this: 1. The security risk is now noted at the beginning of the section 2. The recommendation to use SSL is now documented more prominently and an alternative recommendation to only use remote support on a trusted network has been added. 3. The example secret has been removed to prevent copy and paste 4. A recommendation to use a secret that is unique and strong has been added Closes gh-18825
89e050d7 · Andy Wilkinson · c7801059 · 89e050d7
Commit 89e050d7 authored Nov 05, 2019 by Andy Wilkinson
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 10 deletions

using-spring-boot.adoc ...spring-boot-docs/src/main/asciidoc/using-spring-boot.adoc +7 -10

No files found.
--- a/spring-boot-project/spring-boot-docs/src/main/asciidoc/using-spring-boot.adoc
+++ b/spring-boot-project/spring-boot-docs/src/main/asciidoc/using-spring-boot.adoc
@@ -912,7 +912,11 @@ NOTE: Profiles activated in `.spring-boot-devtools.properties` will not affect t
 === Remote Applications
 The Spring Boot developer tools are not limited to local development.
 You can also use several features when running applications remotely.
-Remote support is opt-in.
+Remote support is opt-in as enabling it can be a security risk.
+It should only be enabled when running on a trusted network or when secured with SSL.
+If neither of these options is available to you, you should not use DevTools' remote support.
+You should never enable support on a production deployment.
 To enable it, you need to make sure that `devtools` is included in the repackaged archive, as shown in the following listing:
 [source,xml,indent=0,subs="verbatim,quotes,attributes"]
@@ -930,15 +934,8 @@ To enable it, you need to make sure that `devtools` is included in the repackage
 	</build>
 ----
-Then you need to set a `spring.devtools.remote.secret` property, as shown in the following example:
+Then you need to set the `spring.devtools.remote.secret` property.
+Like any important password or secret, the value should be unique and strong such that it cannot be guessed or brute-forced.
-[source,properties,indent=0]
----
-	spring.devtools.remote.secret=mysecret
----
-WARNING: Enabling `spring-boot-devtools` on a remote application is a security risk.
-You should never enable support on a production deployment.
 Remote devtools support is provided in two parts: a server-side endpoint that accepts connections and a client application that you run in your IDE.
 The server component is automatically enabled when the `spring.devtools.remote.secret` property is set.