| CIS Control | Geth Setting | Recommendation | Risk if ignored | |-------------|--------------|----------------|----------------| | Disable HTTP RPC unless required | --http=false | Use IPC or WS over localhost only | Remote execution, info leak | | 1.2 Restrict HTTP RPC methods | --http.api=eth,net,web3 | Never expose admin , debug , personal | Unauthorized shutdown, account compromise | | 1.3 Enable authentication for WebSocket | --ws --ws.origins + proxy auth (basic/jwt) | Use JWT secret ( --authrpc.jwtsecret ) | Replay attacks, tx manipulation | | 1.4 Disable GraphQL if unused | --graphql=false | Default: off | Data exfiltration via complex queries | | 2.1 Limit peer count | --maxpeers=50 (private) / --maxpeers=100 (mainnet) | Prevents eclipse attack | Memory exhaustion, eclipse | | 2.2 Use static trusted peers | --trusted-peers + static-nodes.json | Avoids malicious peer injection | Gossip layer compromise | | 3.1 Enable transaction journaling | --txlookuplimit=0 (archive) | Default 1M txs is safe | Inability to query old txs | | 3.2 Disable wallet / personal API | --nousb + --unlock="" | Prevents key extraction | Physical/USB key attack |
Sometimes users confuse with LES (Light Ethereum Subprotocol). geth cis
The "Consensus" (Geth) vs. "Separatist Council" (CIS) highlights different ways to manage decentralized power. The Geth fight for the right to "build their own future." | CIS Control | Geth Setting | Recommendation
= (passed weight) / (total weight) × 100% Passing threshold: ≥ 85% with zero critical fails. The Geth fight for the right to "build their own future