HomeBox deployments usually run in home/self-managed environments with broad LAN trust. Harden authentication, storage, and exposure settings before enabling remote access.
- Disable public registration after creating your initial admin account by setting
HBOX_OPTIONS_ALLOW_REGISTRATION=false
- Restrict admin accounts and remove stale users regularly
- Enforce strong passwords and use SSO/MFA through an auth proxy where possible
- Review share/public link settings periodically
- Configure appropriate user roles and permissions (admin vs user)
- Use invite-only registration (
HBOX_OPTIONS_INVITE_ONLY=true) for additional security
- Regularly audit user access and permissions
- Implement session management with appropriate timeouts
- Keep HomeBox behind HTTPS reverse proxy (nginx, Apache, Traefik, Caddy)
- Do not expose DB or container management sockets publicly
- Use rootless or hardened Docker images (
ghcr.io/sysadminsmedia/homebox:latest-rootless or :latest-hardened)
- Restrict file upload size and type if attachments are enabled (configure
HBOX_WEB_MAX_UPLOAD_SIZE)
- Use read-only mounts where possible for non-data volumes
- Run containers with minimal required privileges
- Configure proper session secrets (
HBOX_SESSION_SECRET) for production deployments
- Set secure cookie flags (
HBOX_SESSION_SECURE_COOKIE=true) when using HTTPS
- Use non-standard ports to reduce automated attacks (default is 7745, but you can map to any external port)
- Implement firewall rules to restrict access to authorized IPs when possible
- Use VPN or WireGuard for remote access instead of direct internet exposure
- Configure proper CORS settings if integrating with external tools
- Implement rate limiting (
HBOX_RATE_LIMIT_* variables) to prevent abuse
- Use proper domain configuration (
HBOX_SERVER_PUBLIC_URL) for security headers
- Encrypt backup archives containing inventory metadata and media files
- Test restore flows after version upgrades
- Keep HomeBox image and base OS patches current
- Monitor auth and admin logs for unusual activity
- Use encrypted connections for external storage (S3, PostgreSQL)
- Implement proper access controls for sensitive data
- Regularly review and clean up old or unused data
- Enable OIDC SSO for centralized authentication if you have an identity provider
- Configure rate limiting for authentication attempts (
HBOX_RATE_LIMIT_AUTHENTICATION)
- Use strong secrets for OIDC client credentials
- Regularly rotate authentication tokens and secrets
- Configure secure session management with appropriate timeouts
- Enable automatic user creation (
HBOX_OIDC_AUTO_CREATE=true) carefully
- Use role assignment based on OIDC groups (
HBOX_OIDC_AUTO_ASSIGN_ROLES) with caution
- Pull images from official GHCR registry:
ghcr.io/sysadminsmedia/homebox
- Verify image signatures when possible
- Don’t run as root - use rootless images or proper user IDs
- Limit container resources to prevent resource exhaustion
- Mount only necessary volumes
- Use read-only root filesystem when possible (especially with rootless images)
- Drop unnecessary capabilities (
cap_drop: - ALL)
- Use security options like
no-new-privileges:true
- Implement proper file permissions for data directories
¶ 7) Monitoring and Auditing
- Enable appropriate logging levels (
HBOX_LOG_LEVEL=info or higher in production)
- Monitor authentication logs for suspicious activity
- Set up health checks to detect service disruptions
- Regular security audits of configurations and access logs
- Enable metrics endpoint (
HBOX_SERVER_METRICS_ENABLED=true) with proper authentication
- Monitor MQTT traffic if enabled for IoT integrations
- Set up alerts for failed login attempts or unusual activity
- Collections Security: When using the Collections feature (v0.23.0+), ensure proper isolation between different collections
- MQTT Security: If using MQTT integration, secure the MQTT broker and use authentication
- Feature Flags: Disable unused features using feature flags (
HBOX_FEATURE_* variables)
- Environment Variables: Store sensitive configuration in environment variables, not in files
- Regular Updates: Stay current with security patches, but test in staging first
- Backup Security: Encrypt and secure backup files appropriately
- Network Segmentation: Place HomeBox on a separate network segment if possible
- HomeBox docs: https://homebox.software
- HomeBox source repository: https://github.com/sysadminsmedia/homebox
- HomeBox security policy: https://github.com/sysadminsmedia/homebox/security/policy
Any questions?
Feel free to contact us. Find all contact information on our contact page.