Securing FOSSBilling

This guide is incomplete. Please help us complete it using the "Edit this page" button in the sidebar. Thanks!

FOSSBilling configuration

These following documents security options under the config.php configuration file.

Security Options

Property descriptions

Config Property	Default Value	Allowed Values	Description
`mode`	`strict`	`strict` or `regular`	Setting this to `strict` sets cookies to have their `samesite` attribute set to `strict` and they will be set as `httpOnly`. Setting it to `regular` will use the default cookie properties except that they will still be set as `httpOnly`.
`force_https`	`true`	`bool`	Setting this to `true` will cause FOSSBilling to redirect all requests to HTTPS and force cookies to only be sent over HTTPS.
`cookie_lifespan`	`7200`	`int`	This property configures the number of seconds that cookies and session is considered valid for. After this time period, they will expire and be destroyed. The default configuration is `7200` seconds (2 hours).

Example in the config

'security' => [
	'mode' => 'strict',
	'force_https' => true,
	'cookie_lifespan' => 7200,
],

API options

Property Descriptions

Config Property	Default Value	Allowed Values	Description
`CSRFPrevention`	`true`	`bool`	Enables or disables the usage of a CSRF protection system. This should be enabled at all times unless it is specifically causing issues.

Example in the config

'api' => [
	'CSRFPrevention' => true,
],

Cloudflare

Enable IP Geolocation under your website's Network settings. This will allow FOSSBilling to use a visitor's country (based on IP address) to help prevent session hijacking.

Reverse proxies

Indicating HTTPS

Because of how reverse proxies typically work, it's common for the usage of it to make FOSSBilling think it's being accessed without HTTPS. To fix this, simply ensure that your reverse proxy is forwarding the X-Forwarded-Proto header and that it's correctly set to https.

Reporting a Vulnerability JavaScript Wrapper