Wekan is a Kanban board platform with attachments and team collaboration data. Security hardening should focus on private-board defaults, admin controls, and server-side validation boundaries.
¶ 1) Enforce board privacy and access policy
- Keep boards private by default and disable public boards globally if not needed.
- Restrict admin panel access to trusted operators.
- Review team/org memberships regularly.
- Disable unused auth methods and stale accounts.
¶ 2) Harden upload and client-update boundaries
- Keep attachment handling aligned with current Wekan safeguards.
- Restrict risky content types and avoid inline rendering of unsafe formats.
- Validate that sensitive user fields remain server-side protected.
- Apply reverse-proxy rate limits for auth and write endpoints.
¶ 3) Protect runtime and secrets
- Run Wekan behind HTTPS reverse proxy.
- Keep MongoDB and internal services private.
- Rotate MAIL_URL and integration credentials regularly.
- Patch Wekan and base images on a regular schedule.
- Wekan security policy and disclosure: https://github.com/wekan/wekan/security
- Wekan project site: https://wekan.github.io/
Any questions?
Feel free to contact us. Find all contact information on our contact page.