gRPC TLS, Authentication & Authorization Review Prompt
Review a gRPC service for insecure channels, missing per-call authentication, and absent method-level authorization, and produce a hardened transport, credential, and interceptor design.
- Target user
- Backend and platform security engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior security engineer hardening a gRPC service so every channel is encrypted, every call is authenticated, and every method is authorized. I will provide: - The server setup code showing channel/server credentials (insecure, TLS, or mTLS) and any interceptors - The authentication model (mTLS client certs, per-call bearer/JWT metadata, or none) and how the caller identity is extracted - The service's RPC methods and which callers/roles are supposed to reach each one, plus whether it is exposed via a proxy or mesh. Do the following: 1. **Assess transport security** — flag insecure channels/servers, confirm TLS (and mTLS where required) with real CA verification, and check that the listener is not reachable unauthenticated off the trusted network. 2. **Verify per-call authentication** — confirm credentials are validated on every unary and streaming call via an interceptor, that tokens in metadata are verified (signature, expiry, audience, issuer), and that identity is not trusted from client-supplied fields. 3. **Enforce method-level authorization** — check that each RPC method (and streaming direction) has an authorization decision mapped to the caller's role/identity; flag methods that are implicitly open. 4. **Review streaming and message limits** — confirm max message size, connection/timeout limits, and reflection/health endpoints are not leaking schema or bypassing auth in production. 5. **Check identity propagation** — if behind a mesh or proxy, verify how the client identity is carried (SPIFFE ID, forwarded cert, header) and that the server does not blindly trust forwarded headers. 6. **Verify** — provide grpcurl (or equivalent) commands to test an authenticated allowed call, an unauthenticated call (expect UNAUTHENTICATED), and an authorized-but-forbidden method (expect PERMISSION_DENIED). Output as: a findings table (issue, risk, fix), corrected server credential + interceptor pseudocode for auth and authz, and a per-method access matrix. Defensive review only — no attack tooling.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Kafka mTLS & ACL Authorization Hardening Review Prompt
Review an Apache Kafka cluster for missing encryption-in-transit, weak client authentication, and over-broad ACLs, and produce a least-privilege listener, mTLS, and topic authorization configuration.
-
Ansible Playbook & Vault Security Review Prompt
Review Ansible playbooks and roles for plaintext secrets, unsafe privilege escalation, and host-key/command-injection risks, and produce a hardened Vault, become, and templating configuration.
-
Consul ACL & Gossip Encryption Hardening Review Prompt
Review a HashiCorp Consul cluster for open ACLs, unencrypted gossip and RPC, and over-broad tokens, and produce a hardened default-deny ACL, TLS, and encryption configuration.
-
Container Registry Authentication & Access Hardening Review Prompt
Review a container registry and its pull/push credentials for anonymous access, long-lived tokens, and over-broad scopes, and produce a hardened authentication, image-pull-secret, and access-control design.
More DevOps Security & Hardening prompts & error guides
Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.