Cal.com handles user calendars, meeting links, and integration secrets (Google/Microsoft, conferencing, payments). Hardening should focus on identity controls, webhook/API credentials, and booking abuse prevention.
¶ 1) Enforce identity and RBAC controls
- Require SSO and MFA for organization administrators.
- Restrict workspace admin privileges and review role assignments regularly.
- Disable open registration for private deployments.
- Rotate API keys and personal access tokens on a fixed schedule.
¶ 2) Secure integrations, webhooks, and secrets
- Store OAuth/client secrets in protected environment variables.
- Validate webhook signatures and restrict callback origins.
- Limit third-party app scopes to minimum required permissions.
- Remove unused integrations and stale OAuth grants.
¶ 3) Protect booking endpoints and infrastructure
- Rate-limit public booking endpoints to reduce abuse and scraping.
- Keep database/Redis/internal workers private.
- Enforce HTTPS and secure cookie/session settings.
- Encrypt backups containing booking and attendee metadata.
- Cal.com docs: https://docs.cal.com/
- Cal.com source repository: https://github.com/calcom/cal.com
- Cal.com security policy: https://github.com/calcom/cal.com/security/policy
Any questions?
Feel free to contact us. Find all contact information on our contact page.