Swetrix self-hosting includes a dashboard/API service and database. Hardening should focus on secure auth configuration, analytics token management, and controlled public exposure.
¶ 1) Harden authentication and account policy
- Enforce strong admin credentials and MFA/SSO if configured.
- Disable open sign-up for private instances.
- Rotate API tokens and project secrets regularly.
- Restrict organization/project owner roles.
¶ 2) Secure API and tracking endpoints
- Enforce HTTPS with HSTS.
- Add rate limits on tracking and auth routes.
- Restrict CORS origins to trusted domains.
- Monitor invalid token and brute-force patterns.
¶ 3) Protect storage and service network
- Keep DB service private and authenticated.
- Store secrets in protected env files, not compose files in public repos.
- Encrypt backup archives and test restores.
- Patch app + DB images in a routine schedule.
¶ Verification commands
grep -E 'JWT|SECRET|DATABASE_URL|DISABLE_REGISTRATION|CORS' /opt/swetrix/.env
sudo ss -tulpn | grep -E ':3000|:443|:5432'
docker compose -f /opt/swetrix/docker-compose.yml ps
- Swetrix self-host docs: https://docs.swetrix.com/selfhosting/
- Swetrix source repository: https://github.com/Swetrix/swetrix
- Swetrix security policy: https://github.com/Swetrix/swetrix/security