Skip to content

1. Installation: Securing TightBlog

Jump to bottom
Glen Mazza edited this page Dec 10, 2019 · 1 revision

Security should be top-of-mind when setting up any web site, even one that is on a private network and internal to your organization. Here are some recommendations for keeping your TightBlog installation secure:

  • Perform TightBlog installation on a secure network. When you are installing TightBlog it is possible for other users to interfere with your installation. If other users have access to the server, one of them could create the admin account before you do. So, when you install TightBlog, do so on a server that cannot be accessed by others.

  • Make sure TightBlog is running over an SSL connection (i.e., using https:// URLs), the default setup configured via its Spring Security. If you run TightBlog over a plain HTTP connection, it is possible for others to snoop your password when you log in, for example over an open WIFI network. Follow your servlet container's documentation for setting up SSL (http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html for Tomcat, for example.) Then redeploy TightBlog and confirm that the entire application (blog pages and the TightBlog UI) are provided by your servlet container only via SSL.

  • Require Google Authentication (entering in numbers from a smartphone) whenever anyone logs in. This is enabled by default via the mfa.enabled property in the tightblog.properties file.

  • Turn off new user registration once everyone you want to have a blogging account has gotten one. While registration is open, require all accounts to be approved by an admin (TightBlog will send emails to admins allowing them to approve or reject the registration.) This setting can be adjusted on the Server Configuration page of TightBlog, accessible only to Admins.

  • Enable HTML Sanitization. You should only grant blogging accounts to people you fully trust not to blog bad things or to use JavaScript, forms, etc. to harm their readers. For an additional level of protection, the Server Admin page allows you to limit the types of HTML tags that may be used in blog entries and (separately) in comments. Further, if desired, the Server Admin page allows for disallowing theme template customizations, further preventing use of authorized HTML features. However, none of this prevents people from blogging other people's credit card or Social Security numbers, for example, so again, grant blogging accounts only to people you fully trust.

Clone this wiki locally