redpanda-data · kbatuigas · Nov 19, 2025 · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
diff --git a/modules/deploy/pages/redpanda/manual/production/production-readiness.adoc b/modules/deploy/pages/redpanda/manual/production/production-readiness.adoc
@@ -318,6 +318,15 @@ In the logs, verify `enabled: 1`.
 
 See also: xref:manage:security/listener-configuration.adoc#multiple-listeners[Multiple listeners]
 
+[NOTE]
+====
+You can also use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint to generate a security report for your cluster and verify TLS, authentication, and authorization settings.
+
+```bash
+curl 'http://localhost:9644/v1/security/report'
+```
+====
+
 [[redpanda-tuners]]
 === Run Redpanda tuners
 
@@ -643,6 +652,46 @@ Review your deployment automation. Specifically, if you need to reprovision a cl
 
 Check that your xref:manage:audit-logging.adoc#audit-log-flow[audit logs] are forwarded to an enterprise security information and event management (SIEM) system. 
 
+=== Monitor security settings
+
+Regularly review your cluster's security settings using the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint. Investigate and address any issues identified in the alerts section.
+
+.Output
+[source,bash]
+----
+curl 'http://localhost:9644/v1/security/report'
+----
+
+.Output
+[source,bash,role=no-copy]
+----
+"alerts": [
+    {
+      "affected_interface": "kafka",
+      "listener_name": "test_kafka_listener",
+      "issue": "NO_AUTHZ",
+      "description": "\"kafka\" interface \"test_kafka_listener\" is not using authorization. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "schema_registry",
+      "listener_name": "test_sr_api_listener",
+      "issue": "NO_AUTHZ",
+      "description": "\"schema_registry\" interface \"test_sr_api_listener\" is not using authorization. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "schema_registry_client",
+      "listener_name": "schema_registry_client",
+      "issue": "NO_AUTHN",
+      "description": "\"schema_registry_client\" interface \"schema_registry_client\" is not using authentication. This is insecure and not recommended."
+    },
+    {
+      "affected_interface": "audit_log_client",
+      "listener_name": "audit_log_client",
+      "issue": "NO_TLS",
+      "description": "\"audit_log_client\" interface \"audit_log_client\" is not using TLS. This is insecure and not recommended."
+    }
+  ]
+----
 
 == Suggested reading
 

diff --git a/modules/develop/partials/http-proxy.adoc b/modules/develop/partials/http-proxy.adoc
@@ -952,6 +952,17 @@ ifndef::env-cloud[]
 For details about configuring OIDC authentication, see xref:manage:security/authentication.adoc#oidc-http[OIDC Authentication].
 endif::[]
 
+ifndef::env-cloud[]
+== Generate a security report for HTTP Proxy
+
+Use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint to generate comprehensive security reports for your cluster. This endpoint provides detailed information about TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces, including HTTP Proxy.
+
+```bash
+curl 'http://localhost:9644/v1/security/report'
+```
+endif::[]
+
+
 == Use Swagger with HTTP Proxy
 
 You can use Swagger UI to test and interact with Redpanda HTTP Proxy endpoints.

diff --git a/modules/get-started/pages/release-notes/redpanda.adoc b/modules/get-started/pages/release-notes/redpanda.adoc
@@ -41,6 +41,14 @@ Redpanda Schema Registry now supports an import mode that allows you to import e
 Starting with this release, import mode must be used when importing schemas. Read-write mode no longer allows specifying a schema ID and version when registering a schema.
 See xref:manage:schema-reg/schema-reg-api.adoc#set-schema-registry-mode[Use the Schema Registry API] for more information.
 
+== Security report
+
+You can now generate security reports for your Redpanda cluster using the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint. The report provides detailed information about TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces (Kafka, RPC, Admin, Schema Registry, HTTP Proxy).
+
+== Topic identifiers
+
+Redpanda v25.3 implements topic identifiers using 16 byte UUIDs as proposed in https://cwiki.apache.org/confluence/display/KAFKA/KIP-516%3A+Topic+Identifiers[KIP-516^].
+
 == Deprecations
 
 Several TLSv1.2 and TLSv1.3 cipher suites have been deprecated. See xref:upgrade:deprecated/index.adoc[Deprecated Features].

diff --git a/modules/manage/pages/schema-reg/schema-reg-api.adoc b/modules/manage/pages/schema-reg/schema-reg-api.adoc
@@ -1176,6 +1176,16 @@ The `serialized` format returns the Protobuf schema in its wire binary format in
 - For Protobuf, `serialized` and `ignore_extensions` are valid, but only `serialized` is currently supported; passing `ignore_extensions` returns a 501 Not Implemented error.
 - Cross-schema conditions such as `resolved` with Protobuf or `serialized` with Avro are ignored and the schema is returned in the default format.
 
+ifndef::env-cloud[]
+== Generate a security report for Schema Registry
+
+Use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint to generate comprehensive security reports for your cluster. This endpoint provides detailed information about TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces, including Schema Registry.
+
+```bash
+curl 'http://localhost:9644/v1/security/report'
+```
+endif::[]
+
 == Suggested reading
 ifndef::env-cloud[]
 * xref:manage:schema-reg/schema-reg-overview.adoc[]

diff --git a/modules/manage/pages/security/index.adoc b/modules/manage/pages/security/index.adoc
@@ -5,4 +5,10 @@
 :page-categories: Management, Security
 
 
-NOTE: All concepts described in this section are compatible with Kafka and its client libraries and CLIs. This section does not cover ways you can protect your Redpanda cluster externally; for example, through network ACLs or private networks.
+[NOTE]
+====
+All concepts described in this section are compatible with Kafka and its client libraries and CLIs. This section does not cover ways you can protect your Redpanda cluster externally; for example, through network ACLs or private networks.
+
+
+Use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] Admin API endpoint to generate comprehensive security reports for your cluster. This endpoint provides detailed information about TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces (Kafka, RPC, Admin, Schema Registry, HTTP Proxy).
+====
diff --git a/modules/manage/pages/use-admin-api.adoc b/modules/manage/pages/use-admin-api.adoc
@@ -40,7 +40,6 @@ The base URL for all requests to the legacy endpoints is:
 http://<broker-address>:<admin-api-port>/v1/
 ```
 
-// TODO: Update link if necessary when v2 URLs are finalized
 For a full list of available endpoints, see the link:/api/doc/admin/v1/[Admin API Reference]. Select "v1" in the version selector to view legacy endpoints.
 
 ==== Example request
@@ -74,6 +73,8 @@ rpk redpanda admin brokers decommission <broker-id>
 --
 ====
 
+NOTE: Use the link:api/doc/admin/operation/operation-get_security_report[`/v1/security/report`] endpoint to generate comprehensive security reports for your cluster. This endpoint provides detailed information about TLS configuration, authentication methods, authorization status, and security alerts across all Redpanda interfaces, including the Admin API itself.
+
 === Use ConnectRPC endpoints
 
 The new endpoints differ from the legacy endpoints in the following ways: