HumHub combines collaboration, messaging, and social features. Hardening priorities are strict registration policy, module governance, and secure PHP/web stack defaults.
¶ 1) Enforce strict user onboarding and permissions
- Disable open registration unless explicitly required.
- Use approval workflows for new users in enterprise environments.
- Keep admin and space-manager roles limited and regularly reviewed.
- Integrate SSO/LDAP for centralized account lifecycle policy.
¶ 2) Harden web and PHP runtime controls
- Run behind HTTPS and enforce HSTS.
- Keep
protected/config and sensitive runtime paths outside direct web access.
- Set secure cookie/session controls in PHP and reverse proxy.
- Disable dangerous PHP functions based on your baseline hardening policy.
¶ 3) Control modules and extension risk
- Install only required modules from trusted sources.
- Remove unused modules and themes.
- Patch HumHub core and extensions frequently.
- Monitor audit/system logs for privilege changes and suspicious activity.
- HumHub documentation: https://docs.humhub.org/
- HumHub source repository: https://github.com/humhub/humhub
- HumHub security policy: https://github.com/humhub/humhub/security/policy
Any questions?
Feel free to contact us. Find all contact information on our contact page.