EspoCRM is a PHP CRM with API endpoints and automation workflows. Hardening must focus on ACL role design, API token controls, and extension governance.
¶ 1) Enforce strict ACL and role separation
- define separate roles for sales, support, admin, and integration users
- review field-level and entity-level ACL settings so sensitive records are not globally readable
- remove stale users and disabled accounts regularly
¶ 2) Protect API and integration credentials
- use dedicated API users/tokens per integration system
- rotate integration tokens and webhook secrets on schedule
- restrict outbound connector permissions to required modules/entities
¶ 3) Secure runtime and extension surface
- keep EspoCRM core and extensions updated from trusted sources
- protect config files and DB credentials with least-privilege filesystem permissions
- enforce HTTPS, secure cookies, and login rate limiting at proxy/app level
- EspoCRM website: https://www.espocrm.com
- EspoCRM documentation: https://docs.espocrm.com/
- EspoCRM source code: https://github.com/espocrm/espocrm
- EspoCRM forum: https://forum.espocrm.com/
Any questions?
Feel free to contact us. Find all contact information on our contact page.