LimeSurvey is frequently used for research and regulated data collection. Security hardening should prioritize installation restrictions, strict update cadence, and survey access controls.
- Enforce web server restrictions for application and upload paths.
- Prevent direct access to executable/user-upload directories.
- Run with least-privilege file permissions for runtime paths.
- Keep database and admin interfaces off public network segments where possible.
- Track LimeSurvey security policy and release updates.
- Upgrade beyond vulnerable versions for known XSS fixes (e.g., CVE-2024-28709 fixed in 6.5.12, CVE-2024-28710 fixed in 6.5.0).
- Validate custom themes/plugins after security updates.
- Keep PHP and web server stack current.
- Restrict who can export full response datasets.
- Use HTTPS only and secure session settings.
- Encrypt backup archives containing survey answers and participant metadata.
- Audit admin actions and survey permission changes.
- LimeSurvey manual security hints: https://www.limesurvey.org/manual/Installation_security_hints
- LimeSurvey source repository: https://github.com/LimeSurvey/LimeSurvey
- LimeSurvey security policy: https://github.com/LimeSurvey/LimeSurvey/security/policy
- LimeSurvey advisory references: https://advisories.gitlab.com/pkg/composer/limesurvey/limesurvey/CVE-2024-28709/ and https://advisories.gitlab.com/pkg/composer/limesurvey/limesurvey/CVE-2024-28710/
Any questions?
Feel free to contact us. Find all contact information on our contact page.