Security - rejetto/hfs GitHub Wiki

While this project focuses on ease of use, we care about security.

  • HTTPS support
  • Passwords are not saved, and not disclosed even without https thanks to SRP
  • Automated tests ran on every release, including libraries audit
  • No default admin password

Some actions you can take for improved security:

  • use https, better if using a proper certificate, even free with Letsencrypt
  • have a domain (ddns is ok too), configure it in "Internet" page, and enable "Accept requests only using domain"
  • install "antidos" plugin
  • ensure "antibrute" plugin is running
  • disable "unprotected admin on localhost"
  • work within a VPN