Frappe HRMS runs on the Frappe framework, so security depends on both HRMS and framework patching. Prioritize strict role controls, 2FA for administrators, and disciplined updates.
¶ 1) Enforce identity and role hardening
- Enable 2FA for Administrator and HR manager accounts.
- Remove inactive users and audit role assignments regularly.
- Use least-privilege role profiles for payroll, HR, and IT operations.
- Restrict API key creation and rotate integration keys on schedule.
- Use production deployment mode with NGINX and Supervisor.
- Force HTTPS and secure cookies on all sites.
- Restrict MariaDB/Redis to private interfaces only.
- Keep
site_config.json and bench secrets out of public or shared paths.
- Track Frappe security advisories and apply fixed versions promptly.
- Validate
bench update in staging before production rollout.
- Keep custom apps reviewed for unsafe query/input patterns.
- Back up DB + private/public files before each update window.
- Frappe production setup: https://docs.frappe.io/framework/user/en/production-setup
- Frappe setup production guide: https://docs.frappe.io/framework/v14/user/en/bench/guides/setup-production
- Frappe framework repository: https://github.com/frappe/frappe
- Frappe advisory example (CVE-2025-30212): https://github.com/advisories/GHSA-3hj6-r5c9-q8f3
Any questions?
Feel free to contact us. Find all contact information on our contact page.