Security - rejetto/hfs GitHub Wiki

While HFS focuses on ease of use, we care about security:

• HTTPS support
• Passwords are never saved, and remain private even without HTTPS, thanks to SRP
• Automated tests, including comprehensive library audits, run on every release
• No default admin password
• No known security problems
• If a serious security problem is discovered, you will get a warning in the Admin-panel

We are a small project and cannot match the same trust as Apache or the like. Nevertheless, a few security researchers have dedicated some time, and we fixed all security problems that were reported.

Some actions you can take for improved security:

• Keep the software updated; HFS by default will automatically notify you about new versions
• Use HTTPS, preferably with a proper certificate
• Configure your domain in "Internet" page, and enable "Accept requests only using domain"
  • You can get a free domain using dynamic-dns services
• Install "antidos" plugin
• Ensure "antibrute" plugin is running
• Disable "unprotected admin on localhost"
• Work within a VPN, when applicable