Skip to content

Security

Rob van der Linde edited this page Mar 9, 2024 · 4 revisions

Securing Sambal

Secrets and environment variables

Sambal isn't really designed to be put onto the Internet, and it is very much experimental at this point.

Use this on internal networks only.

Check the Configuration section first, that lists the various sectets you need to provide:

  • SAMBAL_REDIS_URL=redis://:password@host/0
  • SAMBAL_AUTH_SECRET=unique-secret
  • SAMBAL_SESSION_SECRET=different-secret

Don't use the same secret for SAMBAL_AUTH_SECRET and SAMBAL_SESSION_SECRET and never share these anywhere.

You MUST also put a password on Redis, don't use an unsecured Redis installation for putting credentials into for logged-in users.

The application will now check for this and refuse to start on unsecured Redis intallations (no password).

Using HTTPS

If you put Nginx or Apache in front adding HTTP to the site, make sure to also set these:

  • SAMBAL_HTTPS=True
  • SAMBAL_HSTS=True

Sambal will not do a redirect to https, this is up to the web server config to do.

HSTS is optional but recommended.

Having an outbound proxy

People will try putting random stuff in the URL field for the host, you will need an outbout proxy and strictly control what the Sambal host can connect to.

Clone this wiki locally