Document security risks of DevTools' remote support more clearly

wilkinsona · wilkinsona · commit 89e050d72289 · 2019-11-05T09:22:39.000Z
Previously, the security risks and our recommendations on how to mitigate them were not documented as clearly as they could have been. This commit makes some changes to try to address this: 1. The security risk is now noted at the beginning of the section 2. The recommendation to use SSL is now documented more prominently and an alternative recommendation to only use remote support on a trusted network has been added. 3. The example secret has been removed to prevent copy and paste 4. A recommendation to use a secret that is unique and strong has been added Closes gh-18825
diff --git a/spring-boot-project/spring-boot-docs/src/main/asciidoc/using-spring-boot.adoc b/spring-boot-project/spring-boot-docs/src/main/asciidoc/using-spring-boot.adoc
@@ -912,7 +912,11 @@ NOTE: Profiles activated in `.spring-boot-devtools.properties` will not affect t
 === Remote Applications
 The Spring Boot developer tools are not limited to local development.
 You can also use several features when running applications remotely.
-Remote support is opt-in.
+Remote support is opt-in as enabling it can be a security risk.
+It should only be enabled when running on a trusted network or when secured with SSL.
+If neither of these options is available to you, you should not use DevTools' remote support.
+You should never enable support on a production deployment.
+
 To enable it, you need to make sure that `devtools` is included in the repackaged archive, as shown in the following listing:
 
 [source,xml,indent=0,subs="verbatim,quotes,attributes"]
@@ -930,15 +934,8 @@ To enable it, you need to make sure that `devtools` is included in the repackage
 	</build>
 ----
 
-Then you need to set a `spring.devtools.remote.secret` property, as shown in the following example:
-
-[source,properties,indent=0]
-----
-	spring.devtools.remote.secret=mysecret
-----
-
-WARNING: Enabling `spring-boot-devtools` on a remote application is a security risk.
-You should never enable support on a production deployment.
+Then you need to set the `spring.devtools.remote.secret` property.
+Like any important password or secret, the value should be unique and strong such that it cannot be guessed or brute-forced.
 
 Remote devtools support is provided in two parts: a server-side endpoint that accepts connections and a client application that you run in your IDE.
 The server component is automatically enabled when the `spring.devtools.remote.secret` property is set.
