Adshares AdServer hardening should focus on network segmentation, token security, and protecting the multi-module service boundary.
¶ 1) Keep the required domain split and protect each endpoint
Adshares documentation requires distinct subdomains (panel, app, au) with different purposes. Treat them as separate trust zones.
Practical controls:
- apply strict WAF / DDoS protection at DNS proxy (Adshares docs explicitly recommend this)
- expose only required endpoints publicly
- restrict administrative actions to
panel endpoint and trusted operator networks
- keep API and context endpoints monitored for abuse patterns
¶ 2) Enforce token and OAuth2 security
Adshares API authorization uses Bearer tokens (JWT) with OAuth2 flows via Laravel Passport.
Hardening controls:
- use short-lived integration tokens where possible
- select minimum scopes when creating personal access tokens
- store
client_id and client_secret in secret management, never in code repositories
- revoke tokens immediately on integration or account compromise
¶ 3) Isolate service modules and data stores
Adshares runs several modules (adserver, adpanel, adselect, aduser, adpay, adcontroller) with mixed storage backends (MySQL + Elasticsearch).
- isolate module-to-module traffic with firewall policy
- restrict DB/Elasticsearch access to service network only
- run services as dedicated
adshares system user (or equivalent least-privilege account)
- monitor each module separately for auth, API, and queue failures
¶ 4) Protect supply-chain and update flow
Adshares recommends updates through the same Ansible role used for deployment.
- pin known-good deployment role/version in infrastructure code
- stage-test updates before production rollout
- perform partial module updates only with rollback plan
- audit deployment logs for failed migrations/config drifts
Adshares docs include ads.txt integration and ad zone deployment options.
- keep
ads.txt records current for all publisher domains
- rotate ad tags/keys if publisher integration is compromised
- monitor invalid request/context anomalies on
au path
- use local JS hosting/fallback options only with integrity checks
- Adshares docs: How to start AdServer (domain split, module layout, update flow): https://docs.adshares.net/adserver/how-to-start-adserver.html
- Adshares docs: API Authorization (JWT/OAuth2 flows, scopes, revocation): https://docs.adshares.net/adserver/api/authorization.html
- Adshares docs: ads.txt (authorized seller validation): https://docs.adshares.net/adserver/ads-txt.html
Any questions?
Feel free to contact us. Find all contact information on our contact page.