Part-DB stores component stock, pricing, and supplier metadata. Hardening should prioritize Symfony runtime patching, API key controls, and secure reverse-proxy deployment.
¶ 1) Enforce access control and token security
- Restrict administrator accounts to trusted operators.
- Rotate API keys and remove unused integrations regularly.
- Enforce strong session policies and logout behavior.
- Disable unused third-party integrations.
- Implement Two-Factor Authentication (2FA) using Google Authenticator or WebAuthn/U2F keys.
- Configure SAML SSO for enterprise environments with LDAP/Active Directory integration.
¶ 2) Keep Part-DB and dependencies patched
- Follow Part-DB security advisories and update to fixed releases.
- Keep Symfony and PHP dependencies current.
- Validate upgrade steps in staging before production.
- Review changelog for breaking security-related changes.
- Use latest stable version (2.6.0) which includes security improvements and web-based updates.
¶ 3) Harden infrastructure and data protection
- Place application behind HTTPS reverse proxy with security headers.
- Keep DB and cache/internal services private.
- Encrypt backups containing stock/supplier data.
- Restrict file permissions for uploaded attachments and config files.
- Implement proper firewall rules to limit access to the application.
- Use Docker security best practices when deploying with containers.
- Use strong passwords for database and application accounts.
- Store secrets securely using environment variables or secret management systems.
- Configure email settings for password reset functionality.
- Enable audit logging to track all user actions and changes.
- Set appropriate file upload restrictions to prevent malicious uploads.
¶ 5) Network and Access Security
- Use SSL/TLS certificates to encrypt traffic between clients and server.
- Implement rate limiting to prevent brute force attacks.
- Configure proper CORS settings if using API integrations.
- Restrict IP addresses that can access administrative functions when possible.
- Regular backups with encryption for sensitive data.
- Access control lists to limit who can view/modify sensitive information.
- Data retention policies for logs and temporary files.
- Secure deletion procedures for decommissioned hardware.
When using nginx as a reverse proxy, implement these security headers:
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
- Part-DB documentation: https://docs.part-db.de/
- Part-DB source repository: https://github.com/Part-DB/Part-DB-server
- Part-DB advisory example (GHSA-f63m-p3gv-c2h8): https://github.com/Part-DB/Part-DB-server/security/advisories/GHSA-f63m-p3gv-c2h8
Any questions?
Feel free to contact us. Find all contact information on our contact page.