This is an old revision of the document!


Securing the FileRun installation

Once you have FileRun running, it is strongly recommended to follow these steps in order to secure it:

  • The default user account, superuser, is the only account not protected against brute force login attacks, so it is very important that you set a password that cannot be guessed by a computer. Set a long password, containing also uppercase letters, digits and symbols.
  • Accessing the FileRun installation via SSL|SSL/HTTPS, instead of plain HTTP will strongly increases your data security. Get a free SSL certificate for your server here: https://letsencrypt.org
  • Make sure session.cookie_httponly is set to On, in your server's PHP configuration file, for increased security against cross-site-scripting attacks.
  • Update the configured MySQL user account and remove the ALTER and DROP privileges. (You might need to add these back before installing any FileRun update.)
  • If you are on a shared hosting service, make sure the permissions of the FileRun application files do not allow PHP (or any other web server application) to make changes to them. Make an exception for the system/data folder and its contents, where FileRun needs to be able to make changes.
  • Make sure display_errors is set to Off, in your server's PHP configuration file.
  • Register your FileRun installation, from the control panel, under Software licensing, to be able to keep the installation secure and up to date!