How secure is Discourse?


(xiasummer) #1

I really like this system.

I’d like to build a system to add some of my and my friends‘ important important information into the system. But I’m afraid that our info will be stolen or hacked.

How to protect this system? Or should I just change into another system?


#3

Mmm :thinking:

How many sites like Discouse do you know that has got HackerOne 's services ?


(Gerhard Schlager) #4

We take security very seriously at Discourse. We welcome any peer review of our 100% open source code to ensure nobody’s Discourse forum is ever compromised or hacked.

You can read more about that at discourse/SECURITY.md at master · discourse/discourse · GitHub


(Jae Van Rysselberghe) #5

The only way to fully secure any piece of software (online or offline) is to take it to the desert, drop it in a 20ft hole and dump cement over it. So, 100% continuous, permanent security is not possible (just look at Denuvo).

But, if the question is “Is open source software more secure than closed software” than the basic reasoning behind answering this question is that with open source software (that has a large user base with active feedback) that any security exploits get reported quickly, and therefore can get plugged (fixing said security issue) quickly.

There are somethings you can do yourself:

  • Choose a reputable hosting company.
  • Add additional protection to your server with a firewall.
  • Install a SSL.
  • Use a strong password (duh).
  • Secure your admin email address with double verification.
  • Use an online service such as Securi which will send you a notification (email, sms) when your website has been defaced, hacked, or blacklisted by Google.

Any member can maliciously still copy/paste the information for the rest of the world to see.

A good thing to know about Discourse based on what I’ve read on this forum/meta is that any image, uploaded document (pdf, word, excel, etc.) can be accessed even when the forum is set to private if somebody from outside the forum knows the exact url for the file.


(Jeff Atwood) #6

The main site settings you would want to flip on here

  • HTTPS, obviously!

  • secure email (don’t leak content over email)

  • login required (don’t show content to anons)

  • account approval required or invite only to taste (don’t allow anyone except people you know / approve) to join

Can you think of anything else here @erlend_sh?


(xiasummer) #7

These are great ideas.


#8

Wouldn’t prevent anons from downloading files prevent these kind of things ?