Security_

Securing your self-hosted Appwrite instance is crucial to protect your data and infrastructure. This guide covers the essential security configurations and requirements for production Appwrite deployments.

Encryption

Appwrite does not generate a unique encryption key during a default setup. This key encrypts your files and sensitive data like webhook passwords or API keys to keep them secure. To take advantage of this feature, you must generate a unique key and set it as the value of the _APP_OPENSSL_KEY_V1 environment variable.

You must set _APP_OPENSSL_KEY_V1 immediately after installation of a production Appwrite instance. Changing the _APP_OPENSSL_KEY_V1 variable will cause the loss of existing passwords, OAuth secrets, and API keys.

Make sure to keep this key in a safe place and never make it publicly accessible.

Console access

Appwrite provides three different methods to limit access to your Appwrite Console.

1. Whitelist a group of developers by IP using the _APP_CONSOLE_WHITELIST_IPS environment variable.
2. Whitelist a group of developers by email using the _APP_CONSOLE_WHITELIST_EMAILS environment variable.
3. Only the root user can signup. All other developers must be added through invitations. This is configured using the _APP_CONSOLE_WHITELIST_ROOT environment variable.

By default, only the first user can sign up on the Appwrite instance's dashboard. All other users must be added to the dashboard through invitation.

Security auditing

In addition to the security practices mentioned, it is highly recommended to do regular audits to identify and fix potential security vulnerabilities and performance issues. You can use third-party tools and services that specialize in these areas. These tools can automatically check for vulnerabilities and even offer real-time monitoring.

docker compose up -d

docker compose exec appwrite vars