Securing FOSSBilling

Securing FOSSBilling

This guide is incomplete. Please help us complete it using the "Edit this page" button in the sidebar. Thanks!


FOSSBilling comes with security features enabled and set to their maximum options by default. These options can be adjusted to be more relaxed, but it is recommended to keep them at their default values.

Security Options

  • Security Mode:

    • Default: strict
    • Options:
      • strict:
        • Cookies are only sent over a secured connection (HTTPS)
        • Cookies have the samesite option set to 'strict'
        • Cookies are marked as httpOnly
      • regular: Allows HTTP connections and uses the default cookie settings for your server.
    • Configuration: Set the option mode in the config.php file.
  • HTTPS Redirection:

    • Default: true
    • Options: true or false
    • Configuration: Set the option force_https in the config.php file.
  • Cookie Lifespan:

    • Default: 7200 seconds (2 hours)
    • Configuration: Set the option cookie_lifespan in the config.php file to the desired maximum lifespan of cookies in seconds.

API Options

  • CSRF Prevention:
    • Default: true
    • Options: true or false
    • Configuration: Set the option CSRFPrevention in the config.php file.
      • Note: Disabling this protection is not recommended and opens your instance to a known vulnerability. This option is only here for backwards compatibility.

Hosting Environment

These documents are incomplete, if you have suggestions, we'd appreciate a pull request on our GitHub account.

  • Ensure you have a valid SSL certificate configured on your web server with the latest version of TLS enabled.