-
-
Notifications
You must be signed in to change notification settings - Fork 565
Security Hardening
github-actions[bot] edited this page Apr 22, 2026
·
1 revision
A production TREK deployment checklist. All items reference actual TREK configuration options.
- Set a strong
ENCRYPTION_KEY(generate withopenssl rand -hex 32). See Encryption-Key-Rotation. - Back up
ENCRYPTION_KEYseparately from the database backup ZIP — losing it makes all stored API keys and secrets unreadable. Stored secrets use AES-256-GCM encryption derived from this key. - Rotate
ENCRYPTION_KEYif it may have been exposed. See Encryption-Key-Rotation. - Do not set
JWT_SECRETvia environment variable. TREK auto-generates it on first start, persists it todata/.jwt_secret, and manages rotation through the Admin Panel. Setting it via env var would override any rotation performed through the UI on next restart.
- Run TREK behind a TLS-terminating reverse proxy (nginx, Caddy, Traefik). See Reverse-Proxy.
- Set
TRUST_PROXY=1so client IPs are captured correctly in the audit log. InNODE_ENV=productionthis defaults to1automatically, but set it explicitly if you use a non-standard proxy hop count. - Set
FORCE_HTTPS=trueto enable HSTS (max-age=31536000), redirect HTTP to HTTPS, and addupgrade-insecure-requeststo the CSP. RequiresTRUST_PROXY— omitting it causes a redirect loop. - Keep
ALLOW_INTERNAL_NETWORK=falseunless Immich or Synology is on your LAN. See Internal-Network-Access. Note: loopback (127.x,::1) and link-local (169.254.x) addresses are always blocked regardless of this setting.
- Enable two-factor authentication for your admin account. See Two-Factor-Authentication.
- Require MFA for all users via Admin-Permissions if your use case demands it. Note: you must have MFA enabled on your own admin account before you can enforce it globally.
- Disable open registration if you control who can access the instance. See Admin-Users-and-Invites.
- Rotate the JWT signing secret if a session may have been leaked: Admin Panel → Admin → Rotate JWT Secret (
POST /api/admin/rotate-jwt-secret). This invalidates all active sessions immediately.
TREK stores sessions as JWTs in an httpOnly trek_session cookie (SameSite=Lax, 24-hour expiry). The secure flag is set automatically when NODE_ENV=production or FORCE_HTTPS=true. Tokens are also accepted via Authorization: Bearer header for MCP and API clients.
- Ensure
FORCE_HTTPS=true(orNODE_ENV=production) so thetrek_sessioncookie carries thesecureflag and is never sent over plain HTTP. - Set
COOKIE_SECURE=falseonly as a temporary escape hatch for LAN testing without TLS — do not use in production.
TREK enforces a minimum password policy on all registrations and password changes:
- Minimum 8 characters
- Must contain uppercase, lowercase, digit, and special character
- Common passwords and fully-repetitive strings are rejected
- Passwords are hashed with bcrypt (cost factor 12)
No configuration is required; this policy is always active.
Built-in in-memory rate limits protect authentication endpoints:
| Endpoint | Limit | Window |
|---|---|---|
| Login / Register / Invite | 10 attempts | 15 minutes |
| MFA verify-login / enable | 5 attempts | 15 minutes |
| Password change | 5 attempts | 15 minutes |
| MCP token creation | 5 attempts | 15 minutes |
These limits are per source IP. If TREK is behind a reverse proxy, set TRUST_PROXY so the real client IP is used rather than the proxy's IP.
Helmet applies a strict CSP on all responses. Key directives:
default-src 'self'-
script-src 'self' 'wasm-unsafe-eval'(nounsafe-inline) object-src 'none'frame-src 'none'-
frameAncestors 'self'(prevents clickjacking from external frames) -
upgrade-insecure-requests(added automatically whenFORCE_HTTPS=true)
- Enable auto-backup with an appropriate retention window. See Backups.
- Store backups off-site — copy backup ZIPs to a separate location outside the TREK host.
- Review the audit log periodically for unexpected logins or admin changes. See Audit-Log.
- Check for TREK updates regularly. See Admin-GitHub-Releases and Updating.
- Home
- Quick Start
- Install: Docker
- Install: Docker Compose
- Install: Helm
- Install: Proxmox VE (LXC)
- Install: Unraid
- Install: Portainer
- Reverse Proxy
- Environment Variables
- Updating
- Login and Registration
- OIDC SSO
- Two-Factor Authentication
- Password Reset
- User Settings
- Display Settings
- Map Settings
- Notifications
- Offline Mode and PWA
- Languages
- My Trips Dashboard
- Creating a Trip
- Trip Members and Sharing
- Trip Planner Overview
- Places and Search
- Day Plans and Notes
- Map Features
- Route Optimization
- Weather Forecasts
- Reservations and Bookings
- Transport: Flights, Trains, Cars
- Accommodations
- Budget Tracking
- Packing Lists
- Packing Templates
- Todos and Tasks
- Documents and Files
- Tags and Categories
- Real-Time Collaboration
- Collab Chat
- Collab Notes
- Collab Polls
- What's Next Widget
- Public Share Links
- Invite Links