At Frappe, we treat user security with utmost priority. To embody this point, we have inbuilt a series of security measures users can utilize to secure their accounts.
Password protection and security measures are built within the application, and users can update these from either the System Settings or User Profile pages:
- Security measures for login:
- OTP/2FA support.
- Enforcing strong passwords via password policy.
- Option to lock user login after X failed attempts.
- Force users to reset password after X days.
- All passwords stored in the database are encrypted and not stored in plaintext.
The Frappe framework provides additional goods which allows for added security measures on the server side such as:
- Fail2ban to automatically block to ban IPs that show malicious signs/continuous requests.
- Sites/instances can be encrypted with HTTPS for free using LetsEncrypt. All sites hosted on erpnext.com have this by default.
Frappe/ERPNext implements Audit logs through versioning feature where prior changes/versions of a document are stored. With the Track Seen option enabled, one can see the list of users who have accessed/viewed a particular record.
For users hosted on erpnext.com, Frappe also maintains backup using Amazon's S3 service.
Frappe releases and maintains a list of Common Vulnerabilities and Exposures (CVEs) on our website. Security fixes are sent when reported via this page. As a standard practice, all customers are informed/upgraded to versions where the issue has been patched and disclosed after a period of 60 days.
Frappe ensures that sites hosted on erpnext.com face minimal downtime by implementing a master-replica setup so in case of failure of primary server, the operations can be switched to a replica.
Have more questions? Get in touch!