Snipe-IT was built with security in mind. We utilize bcrypt to handle passwords, which is an adaptive hash function based on the Blowfish symmetric block cipher cryptographic algorithm.

Additionally, the software is designed in such a way to prevent brute forcing the password, with IP addresses and usernames locked out for a configurable number of minutes after a specified number of login attempts.

Additional Security

Although this is web-based software and must run on a web server, you may want to consider whether you actually need it accessible to the outside world. Running it on an internal network with ports closed to the outside world, or on AWS using a security group that prevents access from outside a selected static IP range (like your company network IP), may be something to consider.

Also, running Snipe-IT over SSL/TLS is not required, but a good idea. (Running everything ever over SSL/TLS is a good idea at this point.)

There are some optional configuration options that you can enable if you run Snipe-IT over HTTPS, such as enabling HTTPS-only cookies, and setting your .htaccess to redirect to the HTTPS version.

❗️

IMPORTANT:

Never leave your Snipe-IT instance running in debug mode if your server is accessible to the outside world. Debug mode can be enormously useful for quick troubleshooting, however you should switch it back out of debug mode once you've resolved your issue.

You should deal with the APP_KEY in your .env as a secret. If you think it has been exposed, you MUST change it. However, make sure you re-encrypt any stored encrypted values using the key rotation artisan command. Also understand that when you run that command, all users will be logged out and all token values will be lost.