Security Hardening
Dashboard Protections
The dashboard includes several baseline protections:
- Authentication is required before dashboard data is visible.
- Admin-only routes protect settings, users, diagnostics, connection tests, and exports.
- Login attempts are rate-limited per username and client address.
- Session cookies are
HttpOnly,SameSite=Lax, and markedSecurewhen the dashboard is reached through HTTPS. - JSON and static responses include security headers for content type sniffing, framing, referrer behavior, and browser permissions.
- Admin audit events are recorded for login, registration, settings save, restore, user changes, notification tests, security setting changes, and logout.
- Admins can change their password from the
Security Auditpanel. A successful password change rotates the session secret and signs active sessions out. - Admins can set the session timeout from the
Security Auditpanel.
Reverse Proxy Checklist
- Serve the dashboard over HTTPS.
- Forward
X-Forwarded-Proto: httpsfrom the proxy so secure cookies are enabled. - Keep WebSocket support enabled for live dashboard updates.
- Restrict direct container access to trusted networks.
- Keep the dashboard behind your normal authentication and firewall layers when exposing it outside the lab.
Settings Backup
Dashboard state is stored in /data/dashboard.db. On upgrade, existing settings.json, notification-history.json, and audit-log.json files are imported automatically into the database. Keep the whole Docker data volume in your normal backup plan.
The admin recovery area includes:
Export settings: redacted export for troubleshooting.Export full backup: full settings backup including secrets.Restore full backup: replace saved dashboard settings from a trusted full backup JSON file.
Treat full backups like password vault exports. Store them encrypted, avoid sending them through chat or email, and rotate any exposed API keys.
Restoring a backup can replace users and session secrets. If the restored user data does not match your current session, sign in again after the restore completes.
Audit Log
The admin Security Audit panel shows recent security-relevant events:
- Actor.
- Action.
- Target.
- Status.
- Source IP as seen by the dashboard.
- Timestamp and short detail.
Audit history is saved in the dashboard database at /data/dashboard.db. On upgrade, an existing audit-log.json file is imported automatically. The dashboard keeps the latest 100 events so routine admin history survives container restarts while staying compact.
Session Timeout
The Security Audit panel includes a Session timeout field in hours. The accepted range is 0.25 to 168 hours.
Changing this value affects new sign-ins. Existing sessions keep the expiry that was issued when the user logged in.
You can also set the default with:
DASHBOARD_SESSION_MAX_AGE_HOURS=8
Iteration Checks
Run these checks before publishing a new image:
npm run build
npm run security:check
For backend changes, also run the production server locally with a temporary DATA_DIR and check /api/health plus the app shell.