Pagure combines git hosting with ticketing and pull requests. Security depends on strict authorization, hardened webhook flows, and careful control of worker/background services.
# /etc/pagure/pagure.cfg (example)
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
PAGURE_AUTH = "oidc"
ALLOW_USER_REGISTRATION = False
- Disable open registration on private instances.
- Prefer centralized auth (OIDC/SSO) with MFA at IdP level.
- Protect session cookies with secure + httponly settings.
- Keep secret keys out of repository and world-readable config files.
¶ 2) Lock webhook and integration trust boundaries
- Require signed webhooks and verify signatures on receivers.
- Allow-list webhook destinations.
- Restrict who can create/modify project hooks.
- Monitor unusual outbound webhook bursts or repeated failures.
¶ 3) Repository and service isolation
- Keep git repo storage separated from web process runtime directories.
- Restrict access to message broker and database to internal networks only.
- Run workers under dedicated low-privilege system accounts.
- Enforce TLS termination and secure proxy headers.
¶ 4) Upgrade and audit policy
- Keep Pagure and dependencies updated from maintained upstream packages.
- Audit admin actions, ACL changes, and token usage.
- Encrypt backups and verify restore tests.
¶ Verification commands
sudo grep -E '^(PAGURE_AUTH|ALLOW_USER_REGISTRATION|SESSION_COOKIE_SECURE|SESSION_COOKIE_HTTPONLY)' /etc/pagure/pagure.cfg
sudo -u pagure pagure --version
sudo journalctl -u pagure --since '24 hours ago' | grep -Ei 'auth|hook|token|forbidden'
- Pagure source project: https://pagure.io/pagure
- Pagure GitHub mirror: https://github.com/Pagure/pagure
- Pagure docs: https://docs.pagure.org/pagure/
Any questions?
Feel free to contact us. Find all contact information on our contact page.