- Expose Fossil web UI only behind TLS.
- Restrict admin endpoints to management networks.
- Disable anonymous write capabilities.
¶ Auth and Permissions
- Use strong role-based user permissions.
- Enforce strong admin credentials and MFA via reverse proxy if needed.
- Audit user/account changes frequently.
- Keep Fossil updated to current stable version.
- Backup repositories and test point-in-time recovery.
- Monitor push/pull and sync logs for anomalies.