Kallithea supports both Git and Mercurial and is often integrated with external authentication. Hardening should prioritize auth backend hygiene, permission model review, and VCS service isolation.
¶ 1) Harden kallithea.ini and auth model
# /etc/kallithea/kallithea.ini (example)
use_htsts = true
auth_plugins = auth_internal
allow_repo_creation = false
allow_repo_group_creation = false
- Disable self-service repository creation unless explicitly needed.
- Keep only required auth plugins enabled.
- Use secure session/cookie settings when behind TLS reverse proxy.
- Restrict admin users to a small, audited group.
¶ 2) Lock VCS backends and repositories
- Run Kallithea and VCS helpers under a dedicated unprivileged account.
- Store repositories on a dedicated path with strict owner/group permissions.
- Restrict access to Mercurial and Git hooks to trusted admins.
- Block direct filesystem access from web users to repository internals.
¶ 3) API, webhook, and extension control
- Limit API tokens to minimum required scope.
- Rotate webhook secrets and remove stale integrations.
- Validate outbound webhook targets against an allow-list.
- Monitor pull-request and permission-change audit logs.
¶ 4) Patch and dependency policy
- Keep Kallithea and Python dependencies updated.
- Patch reverse proxy and database services in the same maintenance window.
- Validate backup/restore of repositories and metadata after upgrades.
¶ Verification commands
sudo grep -E '^(auth_plugins|allow_repo_creation|allow_repo_group_creation|use_htsts)' /etc/kallithea/kallithea.ini
sudo -u kallithea kallithea-cli -c /etc/kallithea/kallithea.ini db current
sudo journalctl -u kallithea --since '24 hours ago' | grep -Ei 'auth|permission|forbidden'
- Kallithea documentation: https://docs.kallithea.org/
- Kallithea source: https://github.com/kallithea/kallithea
Any questions?
Feel free to contact us. Find all contact information on our contact page.