This document outlines security procedures and general policies for eLabFTW.
All security bugs will be considered seriously.
Thank you for improving the security of eLabFTW with a responsible disclosure.
If you have found a security issue within this project, please contact me securely through my Keybase profile.
GitHub/Dependabot is regularly scanning the dependencies and will report if a version used has a known vulnerability.
The code itself is checked by various static analyzers to try and detect bugs sooner. And best practices are used to prevent SQL injection (with prepared statements), XSS (with a Content-Security-Policy header), and other nasty things.
If you scan the live demo for good practices and security headers, you'll find that eLabFTW scores very very high:
eLabFTW follows the best practices edicted by The Linux Foundation Core Infrastructure Initiative.
You can see the criteria on this page.
Great you've installed elabftw. But you're a little bit paranoid because you're working on some top secret project and you don't want anyone to be able to look at it.
Here is a list of steps you should follow to increase the security of your instance.
Exposing the eLabFTW service only internally is a good way to avoid having the whole world attacking it.
eLabFTW's container has been fine tuned for maximizing safety. For instance, the default PHP configuration has been modified to make the session identifier longer, in a specific folder with tight permissions, a lot of functions not used in elabftw are forbidden, the cookies have the httpOnly, SameSite and secure flags, and other details that might not be easily modifiable if installed outside Docker.
Nginx also has a custom configuration and binary compilation options with secure headers sent to the client.
Running eLabFTW outside Docker is NOT possible.
Subscribe to the Newsletter to receive a notification on a new release. Or use GitHub's notification system (you can elect to be notified only on new releases). And update your instance to the latest version quickly!
See Backup Documentation. And secure your backups on a filesystem with immutable snapshots! ;)