IceHrm
  • Introduction
  • Getting Started
    • Introduction
    • Installation
    • Manual Installation
    • Securing icehrm installation
    • Basic Settings
    • Mobile App
    • AWS S3 File Storage
  • Employees
    • Employee Management
    • Employee Data Import
    • User permissions
  • Time and Attendance
    • Attendance Module
    • Timesheets
  • Documents
    • HR Form Management
    • Document Management
  • Leave Management
    • Vacation and Leave Management
    • Company Leave Policy
    • Leave Requests and Approval
  • Recruitment
    • Recruitment Management
  • Training and Reviews
    • Training Module
    • Performance Reviews
  • Travel Module
  • Payroll
    • Salary
    • Payroll Management
    • Import - Export Payrolls
    • Building Payroll For India
  • Expenses
    • Expense Management
  • Insights
    • Charts
    • Reporting
  • Other Modules
    • Company Assets
    • Reporting
    • Data Import
  • Api and Single Sign-on
    • Rest Api
    • Using LDAP
    • Sign-In with SAML (Okta)
  • Mobile Application
    • Attendance Tracking
    • My Leave
  • FAQ
    • Upgrade IceHrmPro
    • FAQ
    • Close Cloud Account
    • Blog
  • Developer Guide
    • Setup Development Environment
    • Creating First Extension
    • Adding a DB Migration
    • Adding Entries to DB
  • Release Notes
    • Release Notes IceHrmPro
    • Release Notes IceHrm Open Source
Powered by GitBook
On this page

Was this helpful?

  1. Getting Started

Securing icehrm installation

How to make your IceHrm more secure

PreviousManual InstallationNextBasic Settings

Last updated 3 years ago

Was this helpful?

Immediately upgrade your IceHrm installation to v30.0.0. This version is fixing a critical security issue related to file storage.

Visit IceConnect module, under System => Ice Connect and make sure no errors are displayed. If your icehrm is not secure it should display some errors such as this one:

This means your uploaded documents are not secure. For uploaded documents icehrm generates random names, but if the file name is known it can be retrived by anyone.

How to fix this:

For Apache: In the latest release we have added .htaccess file to data directory to prevent access. But if this error is still shown please consult your server admin to review the .htaccess file and make changes accordingly.

For Nginx: add the following location block in nginx virtual host file to prevent access to icehrm/app/data directory.

location /app/data/ {
    deny all;
    return 404;
}

Prevent Access to Core Directory

Allowing direct access to icehrm/core directoy can be a security risk to your installation. If you are using Nginx add the following location block to your vhost file to prevent this.

location /core/ {
    deny all;
    return 404;
}

For a full example refer to [nginx vhost file for development environment]()

For a full example refer to [nginx vhost file for development environment]()

For Apache, we already have added the [.htaccess file](). But please try manually visiting a file inside the icehrm/core via the webserver to make sure the .htacees file is working on your server.

https://github.com/gamonoid/icehrm/blob/develop/deployment/vagrant/sites-available/default#L25
https://github.com/gamonoid/icehrm/blob/develop/deployment/vagrant/sites-available/default#L30
https://github.com/gamonoid/icehrm/blob/develop/core/.htaccess