apache · meonkeys · May 27, 2026 · May 27, 2026 · May 27, 2026
diff --git a/fineract-doc/src/docs/en/chapters/security/harden.adoc b/fineract-doc/src/docs/en/chapters/security/harden.adoc
@@ -14,9 +14,19 @@ Also, we recommend you familiarize yourself with the OWASP foundation and the "C
 
 == Tips for securing the Fineract infrastructure
 
+=== Pay attention to your logs
+
+View, review, and continuously monitor your server logs. Heed `DO NOT USE THIS IN PRODUCTION!` warnings.
+
+=== Do not enable Spring profiles
+
+Spring profiles such as `test` must never be enabled in production environments. `test` enables insecure API endpoints only meant for dev/test.
+
+See <<Kubernetes>> for a valid use of the `liquibase-only` Spring profile.
+
 === Run it isolated and/or disconnected
 
-In the world of Microfinance or small banking operations (in some geographies), it is possible that you can run Fineract on a private network, or isolated from the internet by being hosted locally and securing all connections. This could involve establishing a VPN with limited ports open, and only accepting connections within that VPN. At the far end of this spectrum, is running it isolated and air-gapped as a backend accounting system, where there is no internet connection on that device. In such scenarios, you are limiting the vectors of attack to just those employees you give access to. You are also limiting the functionality to accounting and basic operations, so this is rarely appropriate.  Even in these scenarios, it is important that you establish reviews of logs and accounts on a periodic basis to determine if any internal fraud is occurring. Such things should be part of your operational manual. There are a number of resources available for this topic, please find them online. For Fineract in particular, be mindful of the set up of approvals and and the access you give to each person or role in your organization
+In the world of Microfinance or small banking operations (in some geographies), it is possible that you can run Fineract on a private network, or isolated from the internet by being hosted locally and securing all connections. This could involve establishing a VPN with limited ports open, and only accepting connections within that VPN. At the far end of this spectrum, is running it isolated and air-gapped as a backend accounting system, where there is no internet connection on that device. In such scenarios, you are limiting the vectors of attack to just those employees you give access to. You are also limiting the functionality to accounting and basic operations, so this is rarely appropriate.  Even in these scenarios, it is important that you establish reviews of logs and accounts on a periodic basis to determine if any internal fraud is occurring. Such things should be part of your operational manual. There are a number of resources available for this topic, please find them online. For Fineract in particular, be mindful of the set up of approvals and and the access you give to each person or role in your organization.
 
 === Running it connected but behind a firewall