Atrocore aims to ship with secure defaults that do not need to get modified by administrators. However, in some cases some additional security hardening can be applied in scenarios were the administrator has complete control over the Instance.
sudo apt update && sudo apt upgrade).Enable error logging but disable displaying errors (display_errors = Off).
Disable remote root access to the database.
Using Atrocore without using an encrypted HTTPS connection opens up your server to a man-in-the-middle (MITM) attack, and risks the interception of user data and passwords. It is a best practice, and highly recommended, to always use HTTPS on production servers, and to never allow unencrypted HTTP.
To redirect all HTTP traffic to HTTPS administrators are encouraged to issue a permanent redirect using the 301 status code. When using Apache this can be achieved by a setting such as the following in the Apache VirtualHosts configuration:
<VirtualHost *:80>
ServerName pim.your-domain.com
Redirect permanent / https://pim.your-domain.com/
</VirtualHost>Don't use an admin user for everyday work. Use a regular user instead.
To ensure the security of your accounts and sensitive data, follow these best practices when creating a password:
Length: Use a password that is at least 12-16 characters long. Longer passwords are significantly harder to crack.
Complexity: Include a mix of:
Avoid Common Words: Do not use easily guessable words, phrases, or patterns such as:
Use Passphrases: A random combination of unrelated words (e.g., "BlueTiger$Mountain99") is both strong and easier to remember.
Unique Passwords: Do not reuse passwords across multiple accounts. If one is compromised, others remain safe.
Password Managers: Consider using a password manager to generate and store complex passwords securely.
By following these guidelines, you can significantly improve the security of your online accounts and protect your personal information.
Consider decreasing Auth Token Max Idle Time. Additionally, you can also specify Auth Token Lifetime.