Metabase has strong operator-facing controls in environment variables and permission models. The hardening priority is to protect secrets, shorten session risk, and reduce data exposure through permissions.
¶ 1) Use production application database and encrypt settings
Metabase documentation recommends production deployments use PostgreSQL/MySQL for the application database instead of the embedded H2 database.
Required controls:
- run Metabase with PostgreSQL or MySQL as application DB
- set
MB_ENCRYPTION_SECRET_KEY in production so stored secrets are encrypted at rest
- back up the application DB and secret key together in disaster recovery plans
¶ 2) Enforce secure sessions and cookie policy
Metabase supports explicit session and cookie controls through environment variables.
Harden these parameters:
- set
MB_SESSION_TIMEOUT / MAX_SESSION_AGE to a bounded value for admin and privileged users
- set
MB_SESSION_COOKIES=true so session cookies are marked secure (HTTPS only)
- terminate plain HTTP at the reverse proxy and force HTTPS globally
¶ 3) Tighten auth policy with password complexity and SSO where possible
Metabase includes password complexity controls and multiple authentication modes.
Recommended baseline:
- require strong passwords with
MB_PASSWORD_COMPLEXITY and minimum length with MB_PASSWORD_LENGTH
- disable local password logins for users who should authenticate only through SSO
- review account lifecycle controls (deprovisioning and admin role assignment) regularly
¶ 4) Apply least privilege in data and collection permissions
Metabase has granular permissions for data access, collections, and API key groups.
Critical controls:
- keep users out of the
Admin group unless operationally required
- grant query access per database/schema/table scope, not global
- restrict API key assignment to dedicated groups with minimum required permissions
¶ 5) Protect embeds and external exposure
Metabase supports static and interactive embedding; both can leak data if scoped too broadly.
Hardening steps:
- sign embeds correctly and scope embed payloads to minimal data
- place Metabase behind a reverse proxy with IP allowlists for admin paths
- disable open signup/public exposure on internet-facing instances
- Metabase operations guide (production DB, encryption key, env vars): https://www.metabase.com/docs/latest/operations-guide/environment-variables
- Metabase passwords and complexity controls: https://www.metabase.com/docs/latest/people-and-groups/changing-password-complexity
- Metabase API keys and permissions: https://www.metabase.com/docs/latest/people-and-groups/api-keys
- Metabase application permissions: https://www.metabase.com/docs/latest/permissions/application-permissions
- Metabase data permissions: https://www.metabase.com/docs/latest/permissions/data
Any questions?
Feel free to contact us. Find all contact information on our contact page.