Security recommendations
This commit is contained in:
@@ -36,6 +36,7 @@ To be notified of important news (such as new releases, security advisories, etc
|
||||
- [Fix Permissions](https://github.com/snipe/snipe-it#6-fix-permissions)
|
||||
- [Set the correct document root for your server](https://github.com/snipe/snipe-it#7-set-the-correct-document-root-for-your-server)
|
||||
- [Seed the Database](https://github.com/snipe/snipe-it#8-seed-the-database)
|
||||
- [Some Notes on Security](https://github.com/snipe/snipe-it#some-notes-on-security)
|
||||
- [Developing & Contributing](https://github.com/snipe/snipe-it#developing--contributing)
|
||||
- [Application Logs](https://github.com/snipe/snipe-it#application-logs)
|
||||
- [Running this on an EC2 Micro Instance](https://github.com/snipe/snipe-it#running-this-on-an-ec2-micro-instance)
|
||||
@@ -237,6 +238,16 @@ To enable it by default after reboot, add this line to /etc/fstab:
|
||||
|
||||
-----
|
||||
|
||||
## Some Notes on Security
|
||||
|
||||
Although this is web-based software and must run on a web server, you may want to consider whether you actually need it accessible to the outside world. Running it on an internal network with ports closed to the outside world, or on AWS using a security group that prevents access from outside a selected static IP range, may be something to consider.
|
||||
|
||||
While most use cases won't be storing Personally Identifiable Information (PII), someone with the right motivation could gain useful knowledge about the number of employees, types of assets, etc you maintain. While this information in and of itself isn't harmful, it could be helpful to Bad Guys in a targeted attack, so you should consider whether you want to limit access to it via IP or network rules.
|
||||
|
||||
Also, running this over SSL is not required, but a good idea. (Running everything ever over SSL is a good idea at this point.)
|
||||
|
||||
-----
|
||||
|
||||
## Developing & Contributing
|
||||
|
||||
Please be sure to see the [contributing guidelines](https://github.com/snipe/snipe-it/blob/develop/CONTRIBUTING.md) before submitting pull requests.
|
||||
|
||||
Reference in New Issue
Block a user