Skip to main content
Version: dev

H2 Database - TESTING ONLY, NOT FOR PRODUCTION

⚠️ CRITICAL SECURITY WARNING: H2 Database is NOT suitable for production environments. It is provided for local testing and development purposes only. Using H2 in production exposes your server to serious security vulnerabilities. Please read this page carefully before using H2 with HertzBeat.

🔴 Security Risks - READ BEFORE USING

What is H2 Database?

H2 is an open-source Java SQL database. HertzBeat ships with H2 as its default embedded database to enable quick testing and evaluation without requiring a separate database installation.

Why H2 Is Dangerous in Production

H2 has a built-in feature called CREATE ALIAS that allows arbitrary Java code execution within database queries. This means:

-- Example of EXTREMELY dangerous H2 capability:
CREATE ALIAS EXEC AS $$ 
String exec(String cmd) throws Exception {
    Runtime.getRuntime().exec(cmd);
    return null;
}
$$;

-- This can execute shell commands on the server:
CALL EXEC('rm -rf /important-data');

If your HertzBeat H2 database is accessible to malicious actors (or even unauthorized internal users), they can:

  • Execute arbitrary shell commands on the HertzBeat server
  • Read any file accessible to the HertzBeat process
  • Compromise the entire server running HertzBeat
  • Access all monitoring data including sensitive credentials

📖 For complete details, read the official H2 Security Documentation.

Network Exposure Risk

H2 can run in server mode, potentially exposing a database management interface on the network. By default, H2 uses ports 8082 (web console) and 9092 (TCP server). If these are accessible externally, any user can connect directly to your database.

✅ H2 is Appropriate For

  • Local Development: Quick setup for evaluating HertzBeat features
  • Automated Testing: CI/CD pipelines in isolated environments
  • Demos: Showcasing HertzBeat to stakeholders
  • Learning: Understanding HertzBeat before production deployment

🚫 H2 is NOT Appropriate For

  • Production deployments
  • Multi-user environments
  • Systems with sensitive monitoring data
  • Internet-accessible HertzBeat instances
  • Environments requiring data persistence across restarts
  • High-availability setups

🔒 Migrating to a Production Database

For production use, migrate to one of these supported databases:

MySQL / MariaDB (Recommended for most deployments)

  1. Install MySQL 5.7+ or MariaDB 10.5+
  2. Create a dedicated database and user:
CREATE DATABASE hertzbeat;
CREATE USER 'hertzbeat'@'localhost' IDENTIFIED BY 'strong_password_here';
GRANT ALL PRIVILEGES ON hertzbeat.* TO 'hertzbeat'@'localhost';
FLUSH PRIVILEGES;
  1. Update application.yml:
spring:
  datasource:
    url: jdbc:mysql://localhost:3306/hertzbeat?useUnicode=true&characterEncoding=utf-8
    username: hertzbeat
    password: strong_password_here
    driver-class-name: com.mysql.cj.jdbc.Driver
  1. Download MySQL JDBC driver and place in ext-lib/
  2. Restart HertzBeat

📖 See the full MySQL monitoring guide for setup details.

  1. Install PostgreSQL 12+
  2. Create database and user:
CREATE USER hertzbeat WITH PASSWORD 'strong_password_here';
CREATE DATABASE hertzbeat OWNER hertzbeat;
GRANT ALL PRIVILEGES ON DATABASE hertzbeat TO hertzbeat;
  1. Update application.yml:
spring:
  datasource:
    url: jdbc:postgresql://localhost:5432/hertzbeat
    username: hertzbeat
    password: strong_password_here
    driver-class-name: org.postgresql.Driver
  1. Download PostgreSQL JDBC driver and place in ext-lib/
  2. Restart HertzBeat

📖 See the full PostgreSQL monitoring guide for setup details.

⚙️ H2 Configuration (Testing Only)

If you are using H2 for testing purposes in a sandboxed environment, the default HertzBeat configuration uses H2 with these settings:

ConfigurationDefault ValueDescription
Database typeH2Embedded Java database
Database file./data/hertzbeatLocal file storage
Web consolePort 8082H2 web management UI
Auto-createEnabledCreates schema automatically

Checking Your Current Configuration

View your current database configuration in application.yml:

spring:
  datasource:
    # H2 configuration (testing only)
    url: jdbc:h2:./data/hertzbeat
    driver-class-name: org.h2.Driver

🛡️ If You Must Use H2 Temporarily

If you absolutely must use H2 while transitioning to a production database, take these precautions:

  1. Restrict Network Access: Ensure HertzBeat is not accessible from the internet
  2. Disable H2 Console: Comment out or remove H2 console configuration
  3. Firewall Rules: Block ports 8082 and 9092 externally
  4. Limit User Access: Only trusted administrators should access HertzBeat
  5. Monitor Access Logs: Watch for unusual SQL queries
  6. Plan Migration: Set a deadline to migrate to MySQL or PostgreSQL
# Disable H2 web console in application.yml:
spring:
  h2:
    console:
      enabled: false  # IMPORTANT: Disable in any non-local environment

📋 Security Checklist Before Going to Production

Before deploying HertzBeat in any non-testing environment, verify:

  • H2 database has been replaced with MySQL or PostgreSQL
  • H2 web console is disabled
  • Database credentials are strong and unique
  • Database is not directly accessible from the internet
  • HertzBeat is running behind a reverse proxy with SSL
  • Monitoring credentials are encrypted and access-controlled
  • Regular database backups are configured

🆘 Help and Support

If you need help migrating from H2 to a production database:

Remember: The convenience of H2 for testing comes at the cost of security. Always plan to migrate to a production-grade database before deploying HertzBeat in any real environment.