Security and performance checklist
- Last Updated: February 11, 2026
- 1 minute read
- OpenEdge
- Version 13.0
- Documentation
Before deploying to production, it is important to validate that the application meets security and performance requirements. This checklist ensures that authentication, authorization, and resource protection measures are properly configured. It also includes performance tuning recommendations for production environments.
Authentication and authorization requirements
Some of the essential security measures for authentication and authorization include:
| Requirement | Description |
|---|---|
| Service account required | Set required=true and enforce issuer and
audience validation if applicable |
| Key rotation process | Use JWKS or establish a planned key rotation strategy |
| Scope definition | Define scopes and ensure sensitive tools are not exposed without explicit scope |
| TLS or mTLS enforced | Do not allow plaintext ingress |
| Token exchange security | If enabled, use HTTPS and restrict scopes |
| Route maps | Include only intended write paths |
| Secrets management | Mount secrets externally. Do not bake them into images or configuration files |
Performance and resource protection for production hardening
The following checklist provides recommended settings for performance tuning and resource
protection:
| Setting | Recommended value or action |
|---|---|
| Request timeout | Enable middleware.request_timeout.enabled=true. The default value is
500 ms. |
| Payload size guard | Configure runtime.max_request_bytes=10240.
Adjust this value per use case. |
| Circuit breaker | Enable
middleware.circuit_breaker.enabled=true and
tune thresholds |
| Connection pool limits | Set runtime.http.limits.max_connections=100
and max_keepalive_connections=20 |
| Response guard | Enable blocking or trimming with sensible limits |
| Rate limiting | Enable for public or shared deployments |
| Method validation | Enable fast-fail validation:
middleware.method_validation.enabled=true |
| Uvicorn workers | Configure UVICORN_WORKERS based on
workload |
| Connection tuning | Optimize UVICORN_KEEPALIVE and
UVICORN_SHUTDOWN_TIMEOUT for load |
| Proxy headers | Enable UVICORN_PROXY_HEADERS=1 when behind a
load balancer |
| Resource monitoring | Track CPU, memory, and response time |
Routing and exposure
Routing and method exposure settings control which HTTP methods are allowed and how requests
are validated. These configurations help enforce security and prevent accidental
execution of unsupported operations. The following table summarizes the routing and
exposure rules:
| Setting | Description |
|---|---|
| Non-GET methods | All write methods must be explicitly included. None are allowed implicitly. |
method_validation |
Enabled by default to reject unknown tools or unsupported methods quickly. |