-
Notifications
You must be signed in to change notification settings - Fork 1
Security
Sambal isn't really designed to be put onto the Internet, and it is very much experimental at this point.
Use this on internal networks only.
Check the Configuration section first, that lists the various sectets you need to provide:
SAMBAL_REDIS_URL=redis://:password@host/0
SAMBAL_AUTH_SECRET=unique-secret
SAMBAL_SESSION_SECRET=different-secret
Don't use the same secret for SAMBAL_AUTH_SECRET
and SAMBAL_SESSION_SECRET
and never share these anywhere.
You MUST also put a password on Redis, don't use an unsecured Redis installation for putting credentials into for logged-in users.
The application will now check for this and refuse to start on unsecured Redis intallations (no password).
If you put Nginx or Apache in front adding HTTP to the site, make sure to also set these:
SAMBAL_HTTPS=True
SAMBAL_HSTS=True
Sambal will not do a redirect to https, this is up to the web server config to do.
HSTS is optional but recommended.
People will try putting random stuff in the URL field for the host, you will need an outbout proxy and strictly control what the Sambal host can connect to.