• Application configuration
• Disable registration and (optionally) invitations
• Disable password hint display
• HTTPS / TLS configuration
• Strict SNI
• Reverse proxying
• Access logs contain access_token parameter
• Docker configuration
• Run as a non-root user
• Mounting data into the container
• Miscellaneous
• Brute-force mitigation
• Hiding under a subdir