starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-17 19:06:49 +03:00
Code Issues 784 Packages Projects Releases 10 Wiki Activity

Guidance required on security for BookStack #2343

New Issue
Closed
opened 2026-02-05 03:44:19 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2026-02-05 03:44:19 +03:00
Owner
Copy Link

Originally created by @techauthoruk on GitHub (Aug 3, 2021).

Hi

I am a VERY happy user of BookStack and am really impressed with its level of features, but I wonder if anyone could weigh in with their experiences of tightening security of BookStack.

I have been tasked with improving the security of both the app and server - not my field of expertise as I'm a Technical Author / Engineer, but I'm learning as I go... I don't really need suggestions on what to do, rather I need comments relating to the impact of enabling/implementing certain features within BookStack. I will summarise below (apologies for the length, but I'm trying to be thorough):

  1. Higher security image uploads - I have enabled this (as I understand what it does). However, I assume this only applies to new image uploads? Is it possible to apply this to existing image uploads? I have also implemented the change to the Apache 2 virtual hosts config: <Location "/uploads"> Options -Indexes </Location>
  2. Public access - I have turned this off as it seems that this is too risky given the sensitive nature of some of our information. Public access isn't a problem per se, but once other people start having editing rights this could cause a problem, hence disabling it. I have also added ALLOW_ROBOTS=false to the .env file; I suppose this isn't necessary with public access off, but it seemed sensible to do. Is this the case?
  3. APP_URL - this is set to the specific https address of our instance in the .env file - I assume nothing further is required for this?
  4. Host Iframe Control - This might seem like overkill, but I also enabled ```ALLOWED_IFRAME_HOSTS="https://xxxxxxxx.com"to the.env` file as well, more as a precaution - will this cause any issues?
  5. Secure Cookies - again, might be overkill but I enabled SESSION_SECURE_COOKIE=true in the .env file even though the instance is served by https - again, will this cause issues?
  6. Failed Access Logging - I installed Fail2Ban on the server, so I added the LOG_FAILED_LOGIN_MESSAGE option to the .env file
  7. Image Authentication - I'm really confused on this one....I understand I need to move all my 'public' images to storage/uploads/images then delete anything in public/uploads/images, but will my existing pages still be able to access the images once I have moved them? Also, what does you may have to clean-up and re-upload any ‘App Icon’ images, in settings mean? Is this the 'Cleanup' option in 'Settings' 'Maintenance'?
  8. Authentication Methods - is adopting an authentication method such as LDAP or AzureAD more secure that the normal user/password login method, or is it just more convenient? I have no expertise in this area but I think our IT guys use Azure and LDAP on other apps, so this shouldn't present a problem if I need to implement it.

I think that covers everything - apologies for the length of the post and hope you can shed light on this for me!

Best wishes

Mark

Originally created by @techauthoruk on GitHub (Aug 3, 2021). Hi I am a **VERY** happy user of BookStack and am really impressed with its level of features, but I wonder if anyone could weigh in with their experiences of tightening security of BookStack. I have been tasked with improving the security of both the app and server - not my field of expertise as I'm a Technical Author / Engineer, but I'm learning as I go... I don't really need suggestions on what to do, rather I need comments relating to the impact of enabling/implementing certain features within BookStack. I will summarise below (apologies for the length, but I'm trying to be thorough): 1. **Higher security image uploads** - I have enabled this (as I understand what it does). However, I assume this only applies to new image uploads? Is it possible to apply this to existing image uploads? I have also implemented the change to the Apache 2 virtual hosts config: ``` <Location "/uploads"> Options -Indexes </Location> ``` 2. **Public access** - I have turned this off as it seems that this is too risky given the sensitive nature of some of our information. Public access isn't a problem per se, but once other people start having editing rights this could cause a problem, hence disabling it. I have also added `ALLOW_ROBOTS=false ` to the `.env` file; I suppose this isn't necessary with public access off, but it seemed sensible to do. Is this the case? 3. **`APP_URL`** - this is set to the specific https address of our instance in the `.env` file - I assume nothing further is required for this? 4. **Host Iframe Control** - This might seem like overkill, but I also enabled ```ALLOWED_IFRAME_HOSTS="https://xxxxxxxx.com"` to the `.env` file as well, more as a precaution - will this cause any issues? 5. **Secure Cookies** - again, might be overkill but I enabled ```SESSION_SECURE_COOKIE=true``` in the `.env` file even though the instance is served by https - again, will this cause issues? 6. **Failed Access Logging** - I installed Fail2Ban on the server, so I added the `LOG_FAILED_LOGIN_MESSAGE` option to the `.env` file 7. **Image Authentication** - I'm really confused on this one....I understand I need to move all my 'public' images to `storage/uploads/images` then delete anything in `public/uploads/images`, but will my existing pages still be able to access the images once I have moved them? Also, what does `you may have to clean-up and re-upload any ‘App Icon’ images, in settings` mean? Is this the 'Cleanup' option in 'Settings' 'Maintenance'? 8. **Authentication Methods** - is adopting an authentication method such as LDAP or AzureAD more secure that the normal user/password login method, or is it just more convenient? I have no expertise in this area but I think our IT guys use Azure and LDAP on other apps, so this shouldn't present a problem if I need to implement it. I think that covers everything - apologies for the length of the post and hope you can shed light on this for me! Best wishes Mark
OVERLORD commented 2026-02-05 03:44:28 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Aug 3, 2021):

Hi @techauthoruk,

  1. Higher security image uploads - I have enabled this (as I understand what it does). However, I assume this only applies to new image uploads? Is it possible to apply this to existing image uploads? I have also implemented the change to the Apache 2 virtual hosts config: <Location "/uploads"> Options -Indexes

No way to apply to existing image uploads I'm afraid. I would advise that the Options -Indexes is applied to your entire BookStack site, Not just the uploads.

  1. Public access - I have turned this off as it seems that this is too risky given the sensitive nature of some of our information. Public access isn't a problem per se, but once other people start having editing rights this could cause a problem, hence disabling it. I have also added ALLOW_ROBOTS=false to the .env file; I suppose this isn't necessary with public access off, but it seemed sensible to do. Is this the case?

Disabling public access does add a good extra barrier of authentication and prevents a host of potential vulnerabilities being so much of a concern. Robots change is fairly redundant in terms of content being accessed but any extra anonymity is still good I suppose.

  1. APP_URL - this is set to the specific https address of our instance in the .env file - I assume nothing further is required for this?

Yeah, As long as that's set to your https base URL then all good.

  1. Host Iframe Control - This might seem like overkill, but I also enabled ALLOWED_IFRAME_HOSTS="https://xxxxxxxx.com" to the .env file as well, more as a precaution - will this cause any issues?

It would technically be more secure to leave this option empty unless BookStack is required to be served in an iframe on other sites. BookStack sets a high level of security on this by default then opens things up to allow iframe usage.

  1. Secure Cookies - again, might be overkill but I enabled SESSION_SECURE_COOKIE=true in the .env file even though the instance is served by https - again, will this cause issues?

Should not cause issues. This is actually the default state anyway if you have a https-based APP_URL set.

  1. Failed Access Logging - I installed Fail2Ban on the server, so I added the LOG_FAILED_LOGIN_MESSAGE option to the .env file.

If you have not already done so, Just installing Fail2Ban and enabling the option is not enough, You'll likely need to configure Fail2Ban to read the log messages and act upon them. Can go into a bit of a rabbit hole on this as details may change depending on operating system.

  1. Image Authentication - I'm really confused on this one....I understand I need to move all my 'public' images to storage/uploads/images then delete anything in public/uploads/images, but will my existing pages still be able to access the images once I have moved them? Also, what does you may have to clean-up and re-upload any ‘App Icon’ images, in settings mean? Is this the 'Cleanup' option in 'Settings' 'Maintenance'?

Make sure you do a backup of all files first. Image usage should remain as per before, and pages will still show those images. If an image is not found in the public space the request will go through BookStack which will check for active authentication. It can be a bit slower and potentially have issues on pages with many images but is often generally fine and adds a good layer of security to such images.

The "App Icon" note is in relation to the application logo setting. This image effectively has to remain in the public space due to being shown on the login/register etc... screen so re-uploading ensures it is put into the right place.

  1. Authentication Methods - is adopting an authentication method such as LDAP or AzureAD more secure that the normal user/password login method, or is it just more convenient? I have no expertise in this area but I think our IT guys use Azure and LDAP on other apps, so this shouldn't present a problem if I need to implement it.

It's often about convenience but that can often lead to security. One less password/login for users to handle/store/lose. One less account for admins to remember to remove if someone leaves etc....

As an extra note, I'm currently working on MFA which will add some additional optional security to logins if desired.

Keep in mind this is still a fairly complex project maintained by a minimal team in free time, Vulnerabilities have and will again sneak into the codebase. One of the best things you can do, if not already signed-up, is sign up to the security updates email list: https://updates.bookstackapp.com/signup/bookstack-security-updates.

@ssddanbrown commented on GitHub (Aug 3, 2021): Hi @techauthoruk, > 1. Higher security image uploads - I have enabled this (as I understand what it does). However, I assume this only applies to new image uploads? Is it possible to apply this to existing image uploads? I have also implemented the change to the Apache 2 virtual hosts config: <Location "/uploads"> Options -Indexes </Location> No way to apply to existing image uploads I'm afraid. I would advise that the `Options -Indexes` is applied to your entire BookStack site, Not just the uploads. > 2. Public access - I have turned this off as it seems that this is too risky given the sensitive nature of some of our information. Public access isn't a problem per se, but once other people start having editing rights this could cause a problem, hence disabling it. I have also added ALLOW_ROBOTS=false to the .env file; I suppose this isn't necessary with public access off, but it seemed sensible to do. Is this the case? Disabling public access does add a good extra barrier of authentication and prevents a host of potential vulnerabilities being so much of a concern. Robots change is fairly redundant in terms of content being accessed but any extra anonymity is still good I suppose. > 3. APP_URL - this is set to the specific https address of our instance in the .env file - I assume nothing further is required for this? Yeah, As long as that's set to your https base URL then all good. > 4. Host Iframe Control - This might seem like overkill, but I also enabled `ALLOWED_IFRAME_HOSTS="https://xxxxxxxx.com"` to the .env file as well, more as a precaution - will this cause any issues? It would technically be more secure to leave this option empty unless BookStack is required to be served in an iframe on other sites. BookStack sets a high level of security on this by default then opens things up to allow iframe usage. > 5. Secure Cookies - again, might be overkill but I enabled SESSION_SECURE_COOKIE=true in the .env file even though the instance is served by https - again, will this cause issues? Should not cause issues. This is actually the default state anyway if you have a https-based APP_URL set. > 6. Failed Access Logging - I installed Fail2Ban on the server, so I added the LOG_FAILED_LOGIN_MESSAGE option to the .env file. If you have not already done so, Just installing Fail2Ban and enabling the option is not enough, You'll likely need to configure Fail2Ban to read the log messages and act upon them. Can go into a bit of a rabbit hole on this as details may change depending on operating system. > 7. Image Authentication - I'm really confused on this one....I understand I need to move all my 'public' images to storage/uploads/images then delete anything in public/uploads/images, but will my existing pages still be able to access the images once I have moved them? Also, what does you may have to clean-up and re-upload any ‘App Icon’ images, in settings mean? Is this the 'Cleanup' option in 'Settings' 'Maintenance'? Make sure you do a backup of all files first. Image usage should remain as per before, and pages will still show those images. If an image is not found in the public space the request will go through BookStack which will check for active authentication. It can be a bit slower and potentially have issues on pages with many images but is often generally fine and adds a good layer of security to such images. The "App Icon" note is in relation to the application logo setting. This image effectively has to remain in the public space due to being shown on the login/register etc... screen so re-uploading ensures it is put into the right place. > 8. Authentication Methods - is adopting an authentication method such as LDAP or AzureAD more secure that the normal user/password login method, or is it just more convenient? I have no expertise in this area but I think our IT guys use Azure and LDAP on other apps, so this shouldn't present a problem if I need to implement it. It's often about convenience but that can often lead to security. One less password/login for users to handle/store/lose. One less account for admins to remember to remove if someone leaves etc.... --- As an extra note, I'm [currently working on MFA](https://github.com/BookStackApp/BookStack/pull/2827) which will add some additional optional security to logins if desired. Keep in mind this is still a fairly complex project maintained by a minimal team in free time, Vulnerabilities have and will again sneak into the codebase. One of the best things you can do, if not already signed-up, is sign up to the security updates email list: https://updates.bookstackapp.com/signup/bookstack-security-updates.
OVERLORD commented 2026-02-05 03:44:30 +03:00
Author
Owner
Copy Link

@Cave-Johnson commented on GitHub (Aug 3, 2021):

I would also recommend looking at putting your bookstack server behind an nginx reverse proxy and adding some additional security headers. A good starter config and description of the additional headers can be found here :https://gist.github.com/plentz/6737338

@Cave-Johnson commented on GitHub (Aug 3, 2021): I would also recommend looking at putting your bookstack server behind an nginx reverse proxy and adding some additional security headers. A good starter config and description of the additional headers can be found here :https://gist.github.com/plentz/6737338
OVERLORD commented 2026-02-05 03:44:40 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Aug 3, 2021):

An alternative, fairly digestible, guide to security headers, With apache config options, is Scott Helme's guide: https://scotthelme.co.uk/hardening-your-http-response-headers

@ssddanbrown commented on GitHub (Aug 3, 2021): An alternative, fairly digestible, guide to security headers, With apache config options, is Scott Helme's guide: https://scotthelme.co.uk/hardening-your-http-response-headers
OVERLORD commented 2026-02-05 03:44:44 +03:00
Author
Owner
Copy Link

@techauthoruk commented on GitHub (Aug 4, 2021):

@ssddanbrown - Dan, thank you for all the info. I have modified my changes in line with your comments, as well as implementing some of the things mentioned in Scott Helme's website. I think it's about as secure as I can make it for now. Thanks again Dan for all your input.

@Cave-Johnson - Thanks for the suggestion: currently we have one app behind an Apache reverse proxy, so I will ask our IT guys if they can do the same for my BookStack instance.

@techauthoruk commented on GitHub (Aug 4, 2021): @ssddanbrown - Dan, thank you for all the info. I have modified my changes in line with your comments, as well as implementing some of the things mentioned in Scott Helme's website. I think it's about as secure as I can make it for now. Thanks again Dan for all your input. @Cave-Johnson - Thanks for the suggestion: currently we have one app behind an Apache reverse proxy, so I will ask our IT guys if they can do the same for my BookStack instance.
OVERLORD commented 2026-02-05 03:44:51 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Aug 4, 2021):

When it comes to apache, You can easily add mod_security which adds an extra level or protection too, but might need to keep it in mind if you come across issues and you might need to tweak settings to be compatible with BookStack.

Will therefore close this off.

@ssddanbrown commented on GitHub (Aug 4, 2021): When it comes to apache, You can easily add mod_security which adds an extra level or protection too, but might need to keep it in mind if you come across issues and you might need to tweak settings to be compatible with BookStack. Will therefore close this off.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#2343
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?