This guide describes recommended configurations and practices in order to keep your network secure.
Enable Production Mode
By default HumHub is operating in DEBUG mode, which besides others uses a different error handling and non combined
assets. Before opening your installation to the public you should enable the production mode first by commenting out the
following lines of the
index.php file within your HumHub root directory:
Note: In this example the lines are already commented out.
You should also delete the
index-test.php file in your HumHub root directory if existing.
Please make sure you followed the directory permissions described in the Installation Guide!
Limit User Access
If you're running a private social network, make sure the user registration has been disabled or the approval system for new users has been enabled.
- Disable user registration:
Administration -> Users -> Settings -> Anonymous users can register
- Enable user approvals:
Administration -> Users -> Settings -> Require group admin approval after registration
- Make sure guest access is disabled:
Administration -> Users -> Settings -> Allow limited access for non-authenticated users (guests)
Password Strength Configuration
HumHub provides an option for adding of additional validation rules for user password during registration using regular expressions. Additional password validation rules can be configured, by changing applications parameters withing the protected/config/common.php configuration
Key should be a valid regular expression, and value - error message. To localize error message you have to define a new message file with the following path pattern:
Web Security Configuration
HumHub 1.4 comes with a build in web security configuration used to set security headers and csp rules. The default security
configuration can be found at
Since the default security settings are rather loose, you may want to align those settings to your own requirements. The strictest CSP settings for your installation highly depend on the used features as installed modules, configured oembed provider or custom iframe pages etc.
The following example demonstrates a stricter web security model:
There are three main configuration section within your security settings as described in the following:
This part may contain security headers and values as for example:
If you want to add a
Content-Security-Policy header in the
headers section of your configuration, remove the
The csp section is used to configure the Content-Security-Policy which manages allowed resources as for example scripts, images and stylesheets.
Please refer to the following links for more information about the CSP and the configuration format used in HumHub:
Note: the examples shown in the CSP Builder documentation use the JSON format while the HumHub configuration uses a PHP array format.
This section can be used to define a csp rule, which will only log violations to
Administration -> Information -> Logging
rather than blocking the resources on the client. This can be used to test csp rules on your installation.
As described above, the
csp-report-only section of your web security configuration can be used to define csp rules
which are only used for debugging and testing and do not have any effect on the client. The
csp-report-only can be used along
It is also possible to set the
report setting of your
csp section to true, this will enable csp violation logging
while enforcing the csp rule.
The csp also supports a nonce
settings for your
script-src. This can be enabled by setting
nonce => true within your custom security configuration.
If enabled modern browsers will only execute scripts containing a generated nonce token.
Note: Since this feature is rather new, some modules may do not support this feature.
Note: The security rules are cached, you may have to clear the cache in order to update the active rule configuration.
This section assembles some guidelines and restrictions regarding custom CSP settings in HumHub.
- The HumHub core currently requires
img-src data:for page icon and image upload
Administration -> Settings -> Appearance
- When using the enterprise edition you should allow
- When noticing any issues with external modules, please inform the module owner.
- When developing custom modules, try to test against the strictest csp rules (see default acceptance test csp rules) and provide information about csp restrictions in your module description.
Keep HumHub Up-To-Date
As an admin you'll receive notifications about new HumHub releases. We strongly recommend to always update to the latest stable version if possible. Check the update guide for more information about updating your HumHub installation.
Furthermore, you should regularly check the
Administration -> Modules -> Available Updates section for module updates.
We take security very seriously, and we're continuously improving the security features of HumHub.