Zammad is a full-featured ticketing platform with optional SSO, Elasticsearch, and rich API use. Security should focus on SSO hardening, transport security, and service segmentation.\n\n## 1) Secure authentication and SSO\n\n- enforce strong local auth policy and prefer centralized SSO (Kerberos/OIDC) where available\n- restrict admin account count and review permissions regularly\n- protect SSO endpoints and ensure domain/SPN configuration is correct for AD environments\n\n## 2) Harden web/API exposure\n\n- configure named vhost and TLS certificates as recommended in webserver docs\n- apply reverse-proxy rate limiting for auth and ticket endpoints\n- scope API tokens by role and rotate integration credentials\n\n## 3) Protect backend services and indexed data\n\n- keep Elasticsearch and DB services private; no direct public exposure\n- secure secrets in environment/service config files with least privilege\n- encrypt backups that include tickets, attachments, and search index-related data
Any questions?
Feel free to contact us. Find all contact information on our contact page.