Leantime stores project plans, tasks, comments, and team-level documents. Hardening should focus on role boundaries, plugin governance, and fast patching from official releases.
¶ 1) Secure admin and workspace access
- Restrict administrator accounts to a minimal operations group.
- Enforce strong password policy and MFA via SSO/reverse-proxy where possible.
- Disable open registration for private deployments.
- Audit project membership and permission changes regularly.
¶ 2) Protect integrations and automation secrets
- Store API/SMTP/third-party credentials in secret management, not repo files.
- Rotate deploy and integration tokens on schedule.
- Restrict webhook callback endpoints to approved domains.
- Remove unused integrations and stale personal tokens.
¶ 3) Patch and monitor continuously
- Track Leantime releases and security disclosures.
- Apply updates to Leantime, PHP runtime, and DB stack together.
- Encrypt backups containing project documents and comments.
- Monitor login failures and abnormal bulk changes in projects/tasks.
- Leantime source repository: https://github.com/Leantime/leantime
- Leantime responsible disclosure policy: https://leantime.io/responsible-disclosure-policy/
Any questions?
Feel free to contact us. Find all contact information on our contact page.