Skip to content

Security

Securing your self-hosted Appwrite instance is crucial to protect your data and infrastructure. This guide covers the essential security configurations and requirements for production Appwrite deployments.

Encryption

Appwrite does not generate a unique encryption key during a default setup. This key encrypts your files and sensitive data like webhook passwords or API keys to keep them secure. To take advantage of this feature, you must generate a unique key and set it as the value of the _APP_OPENSSL_KEY_V1 environment variable.

You must set _APP_OPENSSL_KEY_V1 immediately after installation of a production Appwrite instance. Changing the _APP_OPENSSL_KEY_V1 variable will cause the loss of existing passwords, OAuth secrets, and API keys.

Make sure to keep this key in a safe place and never make it publicly accessible.

Best practice

You should always prefer HTTPS over HTTP in production environments. This keeps your APIs secure and prevents any redirects from interfering with your requests. You can force the use of HTTPS with the _APP_OPTIONS_FORCE_HTTPS environment variable.

Console access

Appwrite provides three different methods to limit access to your Appwrite Console.

  1. Whitelist a group of developers by IP using the _APP_CONSOLE_WHITELIST_IPS environment variable.
  2. Whitelist a group of developers by email using the _APP_CONSOLE_WHITELIST_EMAILS environment variable.
  3. Only the root user can signup. All other developers must be added through invitations. This is configured using the _APP_CONSOLE_WHITELIST_ROOT environment variable.

By default, only the first user can sign up on the Appwrite instance's dashboard. All other users must be added to the dashboard through invitation.

Learn more about environment variables

Security auditing

In addition to the security practices mentioned, it is highly recommended to do regular audits to identify and fix potential security vulnerabilities and performance issues. You can use third-party tools and services that specialize in these areas. These tools can automatically check for vulnerabilities and even offer real-time monitoring.

Applying changes

After editing your docker-compose.yml or .env files, you will need to recreate your Appwrite stack by running the following compose command in your terminal.

Shell
docker compose up -d

You can verify if the changes have been successfully applied by running this command:

Shell
docker compose exec appwrite vars
Was this page helpful?