Review Board handles code diffs, comments, and repository credentials. Hardening must protect Django settings, repository integrations, and admin access workflows.
¶ 1) Harden Django and site-level security settings
Review Board runs on Django and inherits key deployment security controls.
Required controls:
- configure strict
ALLOWED_HOSTS and enforce HTTPS everywhere
- set secure cookie/session behavior for authenticated users
- keep debug features disabled in production site config
¶ 2) Restrict admin and repository credentials
Repository access in Review Board often uses stored credentials or service accounts.
Controls:
- use dedicated read-only repository accounts where possible
- restrict who can create/edit repository credentials in admin UI
- rotate repository tokens/SSH keys on schedule and after staff changes
¶ 3) Secure extension/plugin and API integrations
Review Board supports extensions and webhook-style integrations.
Hardening baseline:
- install extensions only from trusted sources and keep them updated
- validate webhook targets and protect shared secrets
- remove unused extensions and stale integration credentials
¶ 4) Protect site directory and uploaded artifact data
Review metadata and attachments are stored in DB and site storage.
Data controls:
- apply least-privilege filesystem permissions on
conf/ and upload paths
- include DB and site directory in encrypted backup policy
- test restore of historical diffs/comments and repository links
¶ 5) Patch cadence and operational monitoring
Review Board security depends on both Review Board and Python package hygiene.
Operational policy:
- track Review Board and dependency updates and apply after staging validation
- monitor worker/background job health and email notification failures
- alert on authentication anomalies and permission changes in admin areas
- Review Board documentation: https://www.reviewboard.org/docs/
- Review Board project site: https://www.reviewboard.org/
- Review Board source repository: https://github.com/reviewboard/reviewboard
Any questions?
Feel free to contact us. Find all contact information on our contact page.