Security recommendations

This commit is contained in:
snipe
2014-07-07 13:58:51 -04:00
parent 380ff9917d
commit 57b3f6c44f
+11
View File
@@ -36,6 +36,7 @@ To be notified of important news (such as new releases, security advisories, etc
- [Fix Permissions](https://github.com/snipe/snipe-it#6-fix-permissions)
- [Set the correct document root for your server](https://github.com/snipe/snipe-it#7-set-the-correct-document-root-for-your-server)
- [Seed the Database](https://github.com/snipe/snipe-it#8-seed-the-database)
- [Some Notes on Security](https://github.com/snipe/snipe-it#some-notes-on-security)
- [Developing & Contributing](https://github.com/snipe/snipe-it#developing--contributing)
- [Application Logs](https://github.com/snipe/snipe-it#application-logs)
- [Running this on an EC2 Micro Instance](https://github.com/snipe/snipe-it#running-this-on-an-ec2-micro-instance)
@@ -237,6 +238,16 @@ To enable it by default after reboot, add this line to /etc/fstab:
-----
## Some Notes on Security
Although this is web-based software and must run on a web server, you may want to consider whether you actually need it accessible to the outside world. Running it on an internal network with ports closed to the outside world, or on AWS using a security group that prevents access from outside a selected static IP range, may be something to consider.
While most use cases won't be storing Personally Identifiable Information (PII), someone with the right motivation could gain useful knowledge about the number of employees, types of assets, etc you maintain. While this information in and of itself isn't harmful, it could be helpful to Bad Guys in a targeted attack, so you should consider whether you want to limit access to it via IP or network rules.
Also, running this over SSL is not required, but a good idea. (Running everything ever over SSL is a good idea at this point.)
-----
## Developing & Contributing
Please be sure to see the [contributing guidelines](https://github.com/snipe/snipe-it/blob/develop/CONTRIBUTING.md) before submitting pull requests.