Security - rejetto/hfs GitHub Wiki

While HFS focuses on ease of use, security is a top priority:

• HTTPS support
• Passwords are never stored, and remain private even without HTTPS, thanks to SRP
• Automated tests, including comprehensive library audits, run on every release
• No default admin password
• No known security vulnerabilities
• If a serious security issue is discovered, you will receive a notification in the Admin-panel and in the console
• Malicious plugins are blacklisted and automatically disabled upon discovery

We are a small project and cannot match the same trust as Apache or similar projects. Nevertheless, a few security researchers have dedicated time, and we have fixed all reported security problems.

Recommended actions to improve security:

• Keep HFS updated: By default, HFS will automatically notify you of new versions.
• Minimize exposure:
  • If you only need LAN access, do not expose the server to the Internet.
  • If public access is not required, restrict access to registered accounts only.
• Use HTTPS, preferably with a valid certificate.
• Secure your domain: Configure your domain on the "Internet" page and enable "Accept requests only using domain."
  • You can obtain a free domain via dynamic-dns services.
• Install the "antidos" plugin.
• Ensure the "antibrute" plugin is active.
• Disable "unprotected admin on localhost."
• Use a VPN when applicable.
• Be cautious with third-party plugins: Only plugins developed by us are guaranteed secure (official plugins will not trigger security alerts).