Taiga includes frontend, backend, and async/event services. Security should focus on strict CORS/origin controls, secret management, and role protection for project administrators.
¶ 1) Protect identity and project-admin roles
- Disable open registration unless explicitly required.
- Restrict project-admin and system-admin roles to trusted users.
- Enforce SSO and MFA where available through identity provider.
- Rotate API tokens and integration secrets frequently.
¶ 2) Harden API origins and service exposure
- Set strict allowed hosts and CORS origins to production domains.
- Keep RabbitMQ/Redis/Postgres private.
- Enforce HTTPS + HSTS on all user-facing endpoints.
- Apply rate limiting on auth and API endpoints.
¶ 3) Secure operations and update cadence
- Follow Taiga security reporting guidance and stable releases.
- Patch Taiga backend/frontend and dependencies on schedule.
- Encrypt backups with project artifacts and user data.
- Audit permission changes and project visibility modifications.
- Taiga security statement: https://taiga.io/security/
- Taiga source repositories: https://github.com/taigaio
Any questions?
Feel free to contact us. Find all contact information on our contact page.