Windmill combines script execution, job queues, and workspace secrets. Hardening should focus on execution isolation, SSO/RBAC enforcement, and database/secret protection.
Windmill workers execute jobs and scripts; they should not share unrestricted trust with UI/API components.
Runtime controls:
- run workers on separate nodes or containers from public ingress
- set CPU and memory limits per worker pool
- restrict worker outbound network access to approved destinations
¶ 2) Enforce workspace RBAC and SSO
Windmill supports role-based access and enterprise SSO integrations.
Access baseline:
- assign admin rights only to platform operators
- use SSO/IdP group mapping for account lifecycle control
- require MFA at IdP for privileged workspace roles
¶ 3) Secure secrets and database connectivity
Windmill stores workflow and secret metadata in PostgreSQL and workspace secret stores.
Required controls:
- keep
DATABASE_URL secrets out of repository files
- expose PostgreSQL only on private interfaces
- rotate workspace tokens and service credentials on schedule
¶ 4) Harden web ingress and API exposure
Windmill commonly runs behind Caddy/Nginx/Traefik.
Ingress controls:
- force HTTPS and enable HSTS
- restrict admin/API routes with network policy where feasible
- apply request-size and rate limits to public endpoints
¶ 5) Supply-chain and update policy
Windmill releases frequently and includes runtime dependencies for script execution.
Operations baseline:
- pin image versions and update through staged rollout
- monitor upstream release notes in
windmill-labs/windmill
- maintain tested rollback procedure for failed upgrades
- Windmill documentation: https://www.windmill.dev/docs
- Windmill self-hosting docs: https://www.windmill.dev/docs/advanced/self_host
- Windmill source repository: https://github.com/windmill-labs/windmill
Any questions?
Feel free to contact us. Find all contact information on our contact page.