Securing FOSSBilling
This guide is incomplete. Please help us complete it using the "Edit this page" button in the sidebar. Thanks!
Configuration
FOSSBilling comes with security features enabled and set to their maximum options by default. These options can be adjusted to be more relaxed, but it is recommended to keep them at their default values.
Security Options
-
Security Mode:
- Default:
strict
- Options:
strict
:- Cookies are only sent over a secured connection (HTTPS)
- Cookies have the
samesite
option set to 'strict' - Cookies are marked as
httpOnly
regular
: Allows HTTP connections and uses the default cookie settings for your server.
- Configuration: Set the option
mode
in theconfig.php
file.
- Default:
-
HTTPS Redirection:
- Default:
true
- Options:
true
orfalse
- Configuration: Set the option
force_https
in theconfig.php
file.
- Default:
-
Cookie Lifespan:
- Default:
7200
seconds (2 hours) - Configuration: Set the option
cookie_lifespan
in theconfig.php
file to the desired maximum lifespan of cookies in seconds.
- Default:
API Options
- CSRF Prevention:
- Default:
true
- Options:
true
orfalse
- Configuration: Set the option
CSRFPrevention
in theconfig.php
file.- Note: Disabling this protection is not recommended and opens your instance to a known vulnerability. This option is only here for backwards compatibility.
- Default:
Hosting Environment
These documents are incomplete, if you have suggestions, we'd appreciate a pull request on our GitHub account.
- Ensure you have a valid SSL certificate configured on your web server with the latest version of TLS enabled.