Securing FOSSBilling
This guide is incomplete. Please help us complete it using the “Edit this page” button in the sidebar. Thanks!
FOSSBilling configuration
These following documents security options under the config.php configuration file.
Security Options
Property descriptions
| Config Property | Default Value | Allowed Values | Description |
|---|---|---|---|
mode | strict | strict or regular | Setting this to strict sets cookies to have their samesite attribute set to strict and they will be set as httpOnly. Setting it to regular will use the default cookie properties except that they will still be set as httpOnly. |
force_https | true | bool | Setting this to true will cause FOSSBilling to redirect all requests to HTTPS and force cookies to only be sent over HTTPS. |
session_lifespan | 7200 | int | This property configures the number of seconds that sessions are considered valid for. After this time period, they will expire and be destroyed. The default configuration is 7200 seconds (2 hours). |
Example in the config
'security' => [
'mode' => 'strict',
'force_https' => true,
'session_lifespan' => 7200,
],API options
Property Descriptions
| Config Property | Default Value | Allowed Values | Description |
|---|---|---|---|
CSRFPrevention | true | bool | Enables or disables the usage of a CSRF protection system. This should be enabled at all times unless it is specifically causing issues. |
Example in the config
'api' => [
'CSRFPrevention' => true,
],Cloudflare
- Enable
IP Geolocationunder your website’sNetworksettings. This will allow FOSSBilling to use a visitor’s country (based on IP address) to help prevent session hijacking.
Reverse proxies
Indicating HTTPS
Because of how reverse proxies typically work, it’s common for the usage of it to make FOSSBilling think it’s being accessed without HTTPS.
To fix this, simply ensure that your reverse proxy is forwarding the X-Forwarded-Proto header and that it’s correctly set to https.