Firefly III stores sensitive personal financial data. Its official security documentation is explicit about what is and is not protected by default.
¶ 1) Understand data-at-rest limits
Firefly III documentation states database data is not encrypted by default and uploaded attachments are stored unencrypted.
Required hardening:
- use full-disk encryption on host/storage
- keep DB private to app host/network only
- use dedicated DB credentials
- lock down filesystem permissions for
/storage/upload and logs
¶ 2) Lock down auth and sessions
Firefly III supports 2FA and login protections.
- enable 2FA for all user accounts
- review owner-role assignments carefully (first registered user is owner)
- disable open registration after initial setup
- monitor new-IP login notifications
Official docs warn APP_DEBUG=true may leak sensitive data.
- keep
APP_DEBUG=false in production
- reduce log verbosity to avoid sensitive data exposure
- control access to Docker/stdout log collectors and log files
¶ 4) TLS and secret handling
- enforce HTTPS end-to-end
- secure reverse proxy and trusted headers
- use Docker secrets or secure secret files for sensitive values
- avoid plain-text secret handling in scripts
- monitor unusual login patterns and privilege changes
- test restore for DB + upload directory
- maintain rapid patch/update process for latest supported release
- Firefly III Docs: Security: https://docs.firefly-iii.org/explanation/more-information/security/
- Firefly III GitHub Security Policy: https://github.com/firefly-iii/firefly-iii/security
Any questions?
Feel free to contact us. Find all contact information on our contact page.