You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/infrastructure_and_maintenance/security/security_checklist.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -295,12 +295,6 @@ See [Change from UTF8 to UTF8MB4](update_db_to_2.5.md#change-from-utf8-to-utf8mb
295
295
Secure the database access with strong passwords, keys, firewall, encryption in transit, encryption at rest, and so on, as needed.
296
296
When using [[= product_name_cloud =]], the provider handles this.
297
297
298
-
### Limit database rights
299
-
300
-
Optionally, ensure that the database user used by the web app only has permissions to do the operations needed by [[= product_name =]].
301
-
The Data Definition Language (DDL) commands (create, alter, drop, truncate, comment) are only needed for installing and upgrading [[= product_name =]], and not for running it.
302
-
Not granting these rights to web app users reduces the damage that can result from a security breach.
303
-
304
298
## Underlying stack
305
299
306
300
To avoid exposing your application to any DDOS vulnerabilities or other yet unknown security threats, make sure that you do the following:
@@ -319,3 +313,9 @@ Those steps aren't needed when using [[= product_name_cloud =]], where the provi
319
313
to receive notifications when a security fix is released in a GitHub-hosted dependency.
320
314
- If you're not using GitHub for your project, you can create a dummy project on GitHub with the same dependencies as your real project, and enable Dependabot notifications for that.
321
315
- Ensure you get notifications about security fixes in JavaScript dependencies.
316
+
317
+
### Monitor logs
318
+
319
+
- Enable logging for [[= product_name =]], the web server, any frontend proxies, and the database.
320
+
- Monitor the logs for unusual and suspicious activity. Consider using log monitoring software to make this easier.
321
+
- Consider using different accounts for manual administrative tasks and for the day-to-day running of your installation. You could for instance configure [[= product_name =]] to use a different database user than the one you use during upgrades. This can make it easier to filter out noise in your log monitoring solution.
0 commit comments