Securing FOSSBilling

Securing FOSSBilling

This guide is incomplete. Please help us complete it using the "Edit this page" button in the sidebar. Thanks!

FOSSBilling configuration

These following documents security options under the config.php configuration file.

Security Options

Property descriptions

Config PropertyDefault ValueAllowed ValuesDescription
modestrictstrict or regularSetting this to strict sets cookies to have their samesite attribute set to strict and they will be set as httpOnly. Setting it to regular will use the default cookie properties except that they will still be set as httpOnly.
force_httpstrueboolSetting this to true will cause FOSSBilling to redirect all requests to HTTPS and force cookies to only be sent over HTTPS.
session_lifespan7200intThis property configures the number of seconds that sessions are considered valid for. After this time period, they will expire and be destroyed. The default configuration is 7200 seconds (2 hours).

Example in the config

'security' => [
	'mode' => 'strict',
	'force_https' => true,
	'session_lifespan' => 7200,

API options

Property Descriptions

Config PropertyDefault ValueAllowed ValuesDescription
CSRFPreventiontrueboolEnables or disables the usage of a CSRF protection system. This should be enabled at all times unless it is specifically causing issues.

Example in the config

'api' => [
	'CSRFPrevention' => true,


  • Enable IP Geolocation under your website's Network settings. This will allow FOSSBilling to use a visitor's country (based on IP address) to help prevent session hijacking.

Reverse proxies

Indicating HTTPS

Because of how reverse proxies typically work, it's common for the usage of it to make FOSSBilling think it's being accessed without HTTPS. To fix this, simply ensure that your reverse proxy is forwarding the X-Forwarded-Proto header and that it's correctly set to https.