I am reading about mTLS and ACL tokens, do I need to use both (TLS encryption and ACL tokens) in a production environment? To me, if I create ACLs and create an ACL token for each client, then why do I need TLS client certificates? Could I just avoid installing the TLS certificate on the server and just force a token on the client side?
Hi @masuberu in a production environment where security matters, we do recommend combining the use of both mTLS certificates and ACL tokens. There have been CVE level incidents in the past where the protection of mTLS significantly reduces the impact of bugs discovered in the ACL system. Without an mTLS certificate to establish a connection in the first place, an attacker will have trouble exploiting broken ACLs (whether due to a bug, leaked credentials, etc.).