Phabricator combines code review, repository browsing, and task data in one platform. A compromise can expose source code and workflow metadata at once, so policy defaults and admin controls must be strict.
¶ 1) Tighten auth and registration policy
Phabricator supports multiple auth providers and account policies.
Required controls:
- disable public self-registration unless explicitly required
- enforce MFA for privileged accounts and repository administrators
- use SSO-backed auth where possible and disable unused auth providers
Phabricator object policies (view, edit) determine who can read revisions, tasks, and files.
Hardening baseline:
- set default object visibility to private/internal, not public
- review Differential, Diffusion, and Maniphest policies per project space
- restrict repository write and landing permissions to trusted groups only
¶ 3) Protect daemon and background processing plane
The phd daemons execute async jobs, notifications, and automation hooks.
Controls:
- supervise
phd with a service manager and alert on crashes/stalls
- run daemons with least privilege service account
- audit outbound integrations and webhook endpoints used by daemons
¶ 4) Secure configuration and storage backends
Phabricator stores sensitive settings in config and DB-backed application data.
Data controls:
- protect
config/local/local.json and DB credentials with strict file permissions
- keep repository and file storage on encrypted disks where required
- include DB, local config, repository storage, and file storage in backup scope
Phabricator upstream from Phacility is no longer maintained in the same way as active projects.
Compensating controls:
- run staged upgrade and dependency review before production changes
- place Phabricator behind hardened reverse proxy (TLS, rate limiting, IP controls)
- monitor forks and maintained downstream security fixes relevant to your deployment
- Phabricator product page: https://phacility.com/phabricator/
- Phabricator source repository: https://github.com/phacility/phabricator
Any questions?
Feel free to contact us. Find all contact information on our contact page.