Securing FOSSBilling
This guide is incomplete. Please help us complete it using the "Edit this page" button in the sidebar. Thanks!
FOSSBilling configuration
These following documents security options under the config.php
configuration file.
Security Options
Property descriptions
Config Property | Default Value | Allowed Values | Description |
---|---|---|---|
mode | strict | strict or regular | Setting this to strict sets cookies to have their samesite attribute set to strict and they will be set as httpOnly . Setting it to regular will use the default cookie properties except that they will still be set as httpOnly . |
force_https | true | bool | Setting this to true will cause FOSSBilling to redirect all requests to HTTPS and force cookies to only be sent over HTTPS. |
cookie_lifespan | 7200 | int | This property configures the number of seconds that cookies and session is considered valid for. After this time period, they will expire and be destroyed. The default configuration is 7200 seconds (2 hours). |
Example in the config
'security' => [
'mode' => 'strict',
'force_https' => true,
'cookie_lifespan' => 7200,
],
API options
Property Descriptions
Config Property | Default Value | Allowed Values | Description |
---|---|---|---|
CSRFPrevention | true | bool | Enables or disables the usage of a CSRF protection system. This should be enabled at all times unless it is specifically causing issues. |
Example in the config
'api' => [
'CSRFPrevention' => true,
],
Cloudflare
- Enable
IP Geolocation
under your website'sNetwork
settings. This will allow FOSSBilling to use a visitor's country (based on IP address) to help prevent session hijacking.
Reverse proxies
Indicating HTTPS
Because of how reverse proxies typically work, it's common for the usage of it to make FOSSBilling think it's being accessed without HTTPS.
To fix this, simply ensure that your reverse proxy is forwarding the X-Forwarded-Proto
header and that it's correctly set to https
.