Forgejo has a broad attack surface (web UI, API, git over SSH/HTTP, actions runners, package registry). Hardening must focus on runner isolation, secret handling, and fast security-release patching.
# /etc/forgejo/app.ini (example)
[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = true
[security]
INSTALL_LOCK = true
PASSWORD_HASH_ALGO = argon2
LOGIN_REMEMBER_DAYS = 7
[server]
ROOT_URL = https://forge.example.com/
SSH_DOMAIN = forge.example.com
PROTOCOL = http
- Disable open registration for private/team-only deployments.
- Keep
INSTALL_LOCK=true after initial setup.
- Use Argon2 password hashing and shorten long-lived session behavior.
- Terminate TLS at reverse proxy and forward trusted headers correctly.
¶ 2) Isolate Actions runners and secrets
- Use dedicated runner hosts/containers, never run runners on the same host as database + forge data plane.
- Use least-privilege repository/org secrets and remove unused secrets.
- Restrict who can create runners and organization-level variables.
- Pin action versions/commit SHAs to reduce supply-chain drift.
¶ 3) SSH and token hardening
- Restrict SSH listen address by firewall/VPN where possible.
- Enforce short expiration and narrow scopes for access tokens.
- Rotate deploy keys and robot credentials on a fixed schedule.
- Disable unused OAuth/OpenID providers.
- Track Forgejo security releases and patch quickly.
- Validate upgrades in staging, then roll to production with backup + rollback plan.
- Review release notes for auth/session/cross-site issues affecting web UI and APIs.
¶ Verification commands
sudo grep -E '^(DISABLE_REGISTRATION|REQUIRE_SIGNIN_VIEW|INSTALL_LOCK|PASSWORD_HASH_ALGO)' /etc/forgejo/app.ini
sudo forgejo --version
sudo ss -tulpn | grep -E ':22|:3000'
- Forgejo docs: https://forgejo.org/docs/
- Forgejo security release stream: https://forgejo.org/news/
- Forgejo source: https://codeberg.org/forgejo/forgejo
Any questions?
Feel free to contact us. Find all contact information on our contact page.