Chatwoot combines inbox data, customer profiles, and agent authentication. Hardening should focus on account security (MFA), inbox role controls, and channel secret protection.\n\n## 1) Enforce strong agent identity controls\n\n- enable MFA for all agents and admins in self-hosted deployments\n- integrate SSO and keep owner/admin roles limited\n- review account membership for each inbox regularly\n\n## 2) Protect channel integrations and webhooks\n\n- store API tokens for WhatsApp, email, and social channels in secret-managed env vars\n- rotate channel credentials after staff changes or suspected exposure\n- restrict inbound webhook origins and apply request rate limits\n\n## 3) Secure data and runtime infrastructure\n\n- enforce HTTPS, secure cookies, and reverse-proxy WAF/rate limits\n- protect Postgres/Redis with private network access only\n- encrypt backups because conversations can include personal data
Any questions?
Feel free to contact us. Find all contact information on our contact page.