Good application security starts with good operational security. If your server or network is compromised, FOSSBilling cannot protect you on its own.
Server-Level Security
Section titled “Server-Level Security”Keep Everything Updated
Section titled “Keep Everything Updated”- Apply operating system security patches promptly
- Keep FOSSBilling updated to the latest version
- Update all server software (web server, database, PHP)
Access Control
Section titled “Access Control”- Don't run services as root — use
sudowhen needed - Use SSH keys instead of passwords for server access
- Disable root login over SSH
- Use a firewall to close unnecessary ports
Database Security
Section titled “Database Security”- Don't expose your database to the internet unless absolutely necessary
- Use strong, unique passwords for database accounts
- Limit database user privileges to what's required
Application-Level Security
Section titled “Application-Level Security”HTTPS Everywhere
Section titled “HTTPS Everywhere”- Always use HTTPS in production
- Set
force_httpstotruein your FOSSBilling config - Use valid SSL certificates (Let's Encrypt is free and easy)
Session Security
Section titled “Session Security”- Keep
modeset tostrictin your security config - Don't increase
session_lifespanunnecessarily - Log out when you're done working
Admin Access
Section titled “Admin Access”- Use strong, unique passwords for admin accounts
- Consider restricting admin panel access by IP if possible
- Regularly review admin activity logs
What We're Working On
Section titled “What We're Working On”We continue to improve FOSSBilling's security posture. Keep an eye on:
- Security advisories
- Release notes for security-related changes
- Our security policy
See something concerning? Report it responsibly.