osTicket runs public ticket forms and agent portals, making auth and intake controls critical. Hardening should include MFA, patch discipline, and attachment protections.\n\n## 1) Enforce agent MFA and least privilege\n\n- require 2FA for agents via admin settings\n- restrict admin capabilities to core platform maintainers\n- review department/team role assignments periodically\n\n## 2) Secure public ticket ingestion\n\n- rate-limit public forms and enforce CAPTCHA/anti-bot controls\n- restrict accepted attachment types and maximum upload sizes\n- validate email parsing/pipe endpoints and protect mailbox credentials\n\n## 3) Patch and infrastructure hardening\n\n- keep osTicket on supported, security-fixed releases\n- enforce HTTPS and secure cookies for staff and client portals\n- isolate database and backup encrypted ticket and attachment data
Any questions?
Feel free to contact us. Find all contact information on our contact page.