| = Security |
| |
| Fineract is *secure by design*. It is designed and built from the ground up to accept, manage, and present data securely. This chapter will detail its various security-related features and settings, along with best practices for secure deployment. |
| |
| If you believe you have found a security vulnerability in Fineract itself, https://fineract.apache.org/#contribute[let us know privately]. |
| |
| Your task as bank CTO, sysadmin, vendor, or other entity responsible for hosting Fineract securely is to thoroughly consider these sections and thoughtfully apply them in your work. While a Fineract release _is_ secure by design, it is _not_ sufficient for a sysadmin to simply start it up and hope for the best. Careful steps must be taken to ensure a deployment is and remains secure despite software environment changes, attacks, staff transitions, and anything else that may arise. |
| |
| We'll first cover the various supported authentication schemes and will continue on to recommendations for securing a Fineract deployment. |
| |
| NOTE: The HTTP Basic and OAuth authentication schemes are mutually exclusive. You can't enable them both at the same time. Fineract checks these settings on startup and will fail if more than one authentication scheme is enabled. |
| |
| include::basic.adoc[leveloffset=+1] |
| |
| include::oauth.adoc[leveloffset=+1] |
| |
| include::2fa.adoc[leveloffset=+1] |
| |
| include::harden.adoc[leveloffset=+1] |
