GLPI in production without hardening is an easy target. This checklist covers the critical security points every administrator should verify.
Security checklist
1. DocumentRoot in the public folder
The web server (Apache/Nginx) must point to /var/www/glpi/public, not to /var/www/glpi. Without this, internal files are accessible via URL.
2. Remove installation files
rm -f /var/www/glpi/install/install.php3. Change default passwords
Immediately change the passwords for: glpi, tech, normal, post-only. Consider disabling unused accounts.
4. Mandatory HTTPS
Configure SSL/TLS and redirect HTTP to HTTPS. Use Let's Encrypt for free certificates.
5. Security headers
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set Content-Security-Policy "default-src 'self'"6. Directory permissions
/var/www/glpi: read for www-data/var/lib/glpi: read+write for www-data/etc/glpi: read for www-data, no web access/var/log/glpi: write for www-data, no web access
7. Keep it updated
Apply security patches as soon as they are available. Use the CVE Scan module to monitor vulnerabilities.
8. Backup and DR plan
See our backup and disaster recovery guide.
9. Monitoring
Monitor GLPI with Zabbix or Grafana: availability, performance, authentication errors (brute force attempts).
10. Strong authentication
Implement SSO with Azure AD + MFA. Disable local login for users who use SSO.
