"Accepting installations signed by unknown hosts" Warning

I am working with an Atlassian Connect Spring Boot application. The app runs with no issues, but gives me the following warning:

Accepting installations signed by unknown hosts. This setting poses a security risk, and should not be used in production deployments.

I am using JWT authentication, so I would assume this warning appears as the first request is not signed by the server as the JWT hasn’t been generated. What are the implications of this warning, and what can I do to mitigate this risk/remove the warning?

So far I have tried adding the below fields to the atlassian-connect.json file but neither has removed the above warning.

"allow-reinstall-missing-host" = true,
"apiMigrations": {
       "signed-install": true,
       "gdpr": true
   }

Many thanks.

@Sophie from the repository README:

Configuration

You can use a Spring properties file to configure the behaviour of your application. If you define properties in your properties file, they will override the default values set by atlassian-connect-spring-boot.

  • atlassian.connect.allow-reinstall-missing-host
    Atlassian hosts will sign all but the first installation request. If your add-on loses the host details during development, this flag enables installations to be accepted by your add-on.

Making your add-on production ready

Some of the default configuration for atlassian-connect-spring-boot is only safe in a development environment - you should enable a Spring profile called production if deploying to a production environment. There are a number of ways to set the active profiles of a Spring Boot application. For example, if launching your application using the Spring Boot Maven plugin:

mvn spring-boot:run -Drun.profiles=production

2 Likes