ERPNext Security

At Frappe, we treat user security with utmost priority. To embody this point, we have inbuilt a series of security measures users can utilize to secure their accounts.

Authentication Measures

Password protection and security measures are built within the application, and users can update these from either the System Settings or User Profile pages:

Frappe/ERPNext Secutiry Settings

  • All passwords stored in the database are encrypted and not stored in plaintext.

Serverside Security

The Frappe framework provides additional goods which allows for added security measures on the server side such as:

  • Fail2ban to automatically block to ban IPs that show malicious signs/continuous requests.
  • Sites/instances can be encrypted with HTTPS for free using LetsEncrypt. All sites hosted on have this by default.

Audit Trails

Frappe/ERPNext implements Audit logs through versioning feature where prior changes/versions of a document are stored. With the Track Seen option enabled, one can see the list of users who have accessed/viewed a particular record.

Maintaining Backups

Users can download their database and file backups from within the application itself or upload it directly to a cloud storage solution.

For users hosted on, Frappe also maintains backup using Amazon's S3 service.

Security Vulnerabilities

Frappe releases and maintains a list of Common Vulnerabilities and Exposures (CVEs) on our website. Security fixes are sent when reported via this page. As a standard practice, all customers are informed/upgraded to versions where the issue has been patched and disclosed after a period of 60 days.

Ensuring Uptime/Redundancy

Frappe ensures that sites hosted on face minimal downtime by implementing a master-replica setup so in case of failure of primary server, the operations can be switched to a replica.

Have more questions? Get in touch!