For Gitea, prioritize secure defaults in app.ini, strict secret/token handling, and regular security updates. Most production incidents come from exposed registration, weak token governance, or untrusted workflow execution.
# /etc/gitea/app.ini (example)
[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = true
[security]
INSTALL_LOCK = true
PASSWORD_HASH_ALGO = argon2
[session]
COOKIE_SECURE = true
SAME_SITE = strict
- Disable open registration unless public onboarding is required.
- Keep
INSTALL_LOCK enabled after installation.
- Use secure cookies and restrictive same-site policy.
- Restrict local account creation if SSO is authoritative.
¶ 2) Harden authentication and tokens
- Require MFA for administrators and maintainers.
- Require expiration for access tokens and reduce allowed scopes.
- Rotate deploy keys, webhooks, and OAuth secrets on schedule.
- Remove inactive users and stale bot accounts.
- Isolate Gitea Actions runners from control-plane services.
- Use protected secrets for protected branches only.
- Require webhook signatures and allow-list webhook destinations.
- Disable unused package registries to reduce exposed endpoints.
¶ 4) Update and incident response
- Track Gitea security advisories and patch quickly.
- Keep database, reverse proxy, and SSH stack updated with Gitea.
- Back up repositories and
app.ini, then test restore regularly.
¶ Verification commands
sudo grep -E '^(DISABLE_REGISTRATION|REQUIRE_SIGNIN_VIEW|INSTALL_LOCK|PASSWORD_HASH_ALGO)' /etc/gitea/app.ini
sudo gitea --version
sudo grep -E 'COOKIE_SECURE|SAME_SITE' /etc/gitea/app.ini
- Gitea documentation: https://docs.gitea.com/
- Gitea MFA docs: https://docs.gitea.com/usage/multi-factor-authentication
- Gitea security advisories: https://github.com/go-gitea/gitea/security
- Gitea security page: https://about.gitea.com/security
Any questions?
Feel free to contact us. Find all contact information on our contact page.