Countly includes an API surface, dashboard, plugin ecosystem, and database services. Hardening should focus on dashboard access control, plugin governance, and encrypted transport.
¶ 1) Secure dashboard and API access
- Enforce HTTPS with HSTS for Countly dashboard/API.
- Disable default credentials and enforce strong admin passwords.
- Restrict admin access by IP/VPN where possible.
- Limit API keys to required scope and rotate regularly.
¶ 2) Control plugin and SDK exposure
- Install only required plugins and keep them updated.
- Disable unused plugins to reduce attack surface.
- Review SDK keys and remove stale applications.
- Restrict who can manage plugins and global settings.
- Keep MongoDB and Redis private (localhost/private subnet only).
- Require authentication for MongoDB/Redis.
- Encrypt backups containing user analytics data.
- Monitor login failures and admin setting changes.
¶ Verification commands
sudo ss -tulpn | grep -E ':3001|:443|:27017|:6379'
sudo grep -R "mongodb\|redis\|api" /opt/countly /etc/countly 2>/dev/null | head
sudo journalctl -u countly --since '24 hours ago' | grep -Ei 'auth|failed|plugin|api'
- Countly self-hosted docs: https://support.countly.com/hc/en-us
- Countly source code: https://github.com/Countly/countly-server
- Countly security policy: https://github.com/Countly/countly-server/security/policy