MemosMemos
Configuration

Security Configuration

Comprehensive security settings and best practices for protecting your Memos instance.

Security Configuration

Security is paramount when deploying Memos in production environments. This guide covers comprehensive security configuration, best practices, and hardening techniques.

Security Overview

Authentication

User authentication, session management, and access controls

Network Security

HTTPS, firewall configuration, and network isolation

Data Protection

Encryption, backup security, and data privacy

Access Control

User roles, permissions, and API security

Authentication Security

Password Policies

Configure strong password requirements to protect user accounts.

Environment Configuration

# Password complexity requirements
export MEMOS_PASSWORD_MIN_LENGTH=12
export MEMOS_PASSWORD_REQUIRE_UPPERCASE=true
export MEMOS_PASSWORD_REQUIRE_LOWERCASE=true
export MEMOS_PASSWORD_REQUIRE_NUMBERS=true
export MEMOS_PASSWORD_REQUIRE_SYMBOLS=true

# Account lockout policies
export MEMOS_MAX_LOGIN_ATTEMPTS=5
export MEMOS_LOCKOUT_DURATION=900  # 15 minutes in seconds

# Session security
export MEMOS_SESSION_TIMEOUT=3600  # 1 hour
export MEMOS_SESSION_ABSOLUTE_TIMEOUT=28800  # 8 hours

Docker Configuration

services:
  memos:
    image: neosmemo/memos:stable
    environment:
      # Password policies
      - MEMOS_PASSWORD_MIN_LENGTH=12
      - MEMOS_PASSWORD_REQUIRE_UPPERCASE=true
      - MEMOS_PASSWORD_REQUIRE_LOWERCASE=true
      - MEMOS_PASSWORD_REQUIRE_NUMBERS=true
      - MEMOS_PASSWORD_REQUIRE_SYMBOLS=true
      
      # Account security
      - MEMOS_MAX_LOGIN_ATTEMPTS=5
      - MEMOS_LOCKOUT_DURATION=900
      - MEMOS_SESSION_TIMEOUT=3600
      - MEMOS_ENABLE_MFA=true
    volumes:
      - memos_data:/var/opt/memos
    ports:
      - "5230:5230"

Multi-Factor Authentication (MFA)

Enable MFA for enhanced account security.

# Enable MFA
export MEMOS_ENABLE_MFA=true

# MFA methods
export MEMOS_MFA_METHODS=totp,email

# MFA enforcement
export MEMOS_MFA_REQUIRED_FOR_ADMINS=true
export MEMOS_MFA_GRACE_PERIOD=86400  # 24 hours

Session Management

Secure Session Configuration

# Session cookie settings
export MEMOS_SESSION_COOKIE_NAME=memos_session
export MEMOS_SESSION_COOKIE_SECURE=true
export MEMOS_SESSION_COOKIE_HTTP_ONLY=true
export MEMOS_SESSION_COOKIE_SAME_SITE=strict

# Session storage
export MEMOS_SESSION_STORE=database  # or redis
export MEMOS_SESSION_CLEANUP_INTERVAL=3600

Session Security Headers

# Nginx security headers
server {
    # ... other configuration
    
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self';" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always;
}

Network Security

HTTPS Configuration

Always use HTTPS in production. See the HTTPS Setup guide for detailed configuration.

# Force HTTPS
export MEMOS_FORCE_HTTPS=true
export MEMOS_HTTPS_PORT=443

# HSTS configuration
export MEMOS_HSTS_MAX_AGE=31536000
export MEMOS_HSTS_INCLUDE_SUBDOMAINS=true
export MEMOS_HSTS_PRELOAD=true

Firewall Configuration

UFW (Ubuntu)

# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# SSH access (change port if needed)
sudo ufw allow 22/tcp

# HTTP/HTTPS
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Memos (only if not using reverse proxy)
# sudo ufw allow 5230/tcp

# Enable firewall
sudo ufw enable

iptables

# Flush existing rules
sudo iptables -F

# Default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# Allow loopback
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established connections
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# HTTP/HTTPS
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Save rules
sudo iptables-save > /etc/iptables/rules.v4

Rate Limiting

Implement rate limiting to prevent abuse and DDoS attacks.

Application Level

# General rate limiting
export MEMOS_RATE_LIMIT_ENABLED=true
export MEMOS_RATE_LIMIT_REQUESTS_PER_MINUTE=100
export MEMOS_RATE_LIMIT_BURST=20

# API-specific limits
export MEMOS_API_RATE_LIMIT_RPM=60
export MEMOS_LOGIN_RATE_LIMIT_RPM=10
export MEMOS_UPLOAD_RATE_LIMIT_RPM=20

Nginx Rate Limiting

# Rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=api:10m rate=5r/s;
limit_req_zone $binary_remote_addr zone=upload:10m rate=2r/s;

server {
    # General pages
    location / {
        limit_req zone=general burst=10 nodelay;
        proxy_pass http://127.0.0.1:5230;
        # ... proxy headers
    }
    
    # Login endpoints
    location /api/v1/auth/ {
        limit_req zone=login burst=3 nodelay;
        proxy_pass http://127.0.0.1:5230;
        # ... proxy headers
    }
    
    # API endpoints
    location /api/ {
        limit_req zone=api burst=10 nodelay;
        proxy_pass http://127.0.0.1:5230;
        # ... proxy headers
    }
    
    # Upload endpoints
    location /api/v1/resources {
        limit_req zone=upload burst=5 nodelay;
        client_max_body_size 50M;
        proxy_pass http://127.0.0.1:5230;
        # ... proxy headers
    }
}

Data Protection

Encryption at Rest

Encrypt sensitive data stored in your database and file system.

Database Encryption

SQLite with SQLCipher:

# Enable SQLite encryption
export MEMOS_DB_ENCRYPTION=true
export MEMOS_DB_ENCRYPTION_KEY=your-encryption-key

# Key management
export MEMOS_DB_KEY_ROTATION_ENABLED=true
export MEMOS_DB_KEY_ROTATION_INTERVAL=2592000  # 30 days

PostgreSQL with Transparent Data Encryption:

-- Enable TDE (PostgreSQL 13+)
CREATE EXTENSION IF NOT EXISTS pg_tde;

-- Encrypt specific columns
ALTER TABLE memos_user 
ADD COLUMN encrypted_email TEXT ENCRYPTED WITH (key_id = 'user_data_key');

File System Encryption

# LUKS encryption for data directories
sudo cryptsetup luksFormat /dev/sdb1
sudo cryptsetup luksOpen /dev/sdb1 encrypted_data
sudo mkfs.ext4 /dev/mapper/encrypted_data

# Mount encrypted filesystem
echo 'encrypted_data /mnt/memos-data ext4 defaults 0 2' >> /etc/fstab

Backup Security

Secure your backup processes and storage.

# Encrypted backups
export MEMOS_BACKUP_ENCRYPTION=true
export MEMOS_BACKUP_ENCRYPTION_KEY=backup-encryption-key

# Backup retention and rotation
export MEMOS_BACKUP_RETENTION_DAYS=90
export MEMOS_BACKUP_ROTATION_ENABLED=true

# Secure backup storage
export MEMOS_BACKUP_STORAGE_TYPE=s3
export MEMOS_BACKUP_S3_ENCRYPTION=AES256
export MEMOS_BACKUP_S3_BUCKET=secure-memos-backups

Data Privacy

GDPR Compliance

# Data retention policies
export MEMOS_DATA_RETENTION_ENABLED=true
export MEMOS_DATA_RETENTION_PERIOD=2592000000  # 30 days in milliseconds

# User data export
export MEMOS_ENABLE_DATA_EXPORT=true
export MEMOS_DATA_EXPORT_FORMAT=json

# Data anonymization
export MEMOS_ENABLE_DATA_ANONYMIZATION=true
export MEMOS_ANONYMIZATION_RETENTION=86400  # 1 day

Access Control

Role-Based Access Control (RBAC)

Configure user roles and permissions.

# Enable RBAC
export MEMOS_RBAC_ENABLED=true

# Default roles
export MEMOS_DEFAULT_USER_ROLE=user
export MEMOS_ADMIN_REGISTRATION_ENABLED=false

# Permission granularity
export MEMOS_ENABLE_GRANULAR_PERMISSIONS=true

User Roles and Permissions

RoleDescriptionPermissions
AdminFull system accessAll permissions
ModeratorContent moderationRead, write, moderate content
UserStandard userRead, write own content
ViewerRead-only accessRead public content only

API Security

API Token Management

# Token security
export MEMOS_API_TOKEN_EXPIRY=86400  # 24 hours
export MEMOS_API_TOKEN_REFRESH_ENABLED=true
export MEMOS_API_TOKEN_ROTATION_ENABLED=true

# API versioning and deprecation
export MEMOS_API_VERSION_ENFORCEMENT=true
export MEMOS_API_DEPRECATED_VERSIONS=v0.1,v0.2

OAuth 2.0 Configuration

# OAuth providers
export MEMOS_OAUTH_GOOGLE_ENABLED=true
export MEMOS_OAUTH_GOOGLE_CLIENT_ID=your-client-id
export MEMOS_OAUTH_GOOGLE_CLIENT_SECRET=your-client-secret

export MEMOS_OAUTH_GITHUB_ENABLED=true
export MEMOS_OAUTH_GITHUB_CLIENT_ID=your-github-client-id
export MEMOS_OAUTH_GITHUB_CLIENT_SECRET=your-github-client-secret

# OAuth security
export MEMOS_OAUTH_STATE_VERIFICATION=true
export MEMOS_OAUTH_PKCE_ENABLED=true

Security Monitoring

Audit Logging

Enable comprehensive audit logging for security events.

# Audit logging
export MEMOS_AUDIT_LOG_ENABLED=true
export MEMOS_AUDIT_LOG_LEVEL=info
export MEMOS_AUDIT_LOG_FILE=/var/log/memos/audit.log

# Log retention
export MEMOS_AUDIT_LOG_RETENTION_DAYS=90
export MEMOS_AUDIT_LOG_ROTATION_SIZE=100MB

Events to Log

  • User authentication (success/failure)
  • Password changes
  • Account lockouts
  • Administrative actions
  • Data access and modifications
  • API token creation/revocation
  • Configuration changes

Intrusion Detection

File Integrity Monitoring

# Install AIDE (Advanced Intrusion Detection Environment)
sudo apt install aide

# Configure AIDE
sudo nano /etc/aide/aide.conf

# Key directories to monitor
/var/opt/memos f+p+u+g+s+m+c+md5+sha256
/etc/memos f+p+u+g+s+m+c+md5+sha256

# Initialize database
sudo aide --init
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# Daily checks
echo '0 2 * * * root /usr/bin/aide --check' >> /etc/crontab

Log Monitoring

# Install fail2ban
sudo apt install fail2ban

# Configure fail2ban for Memos
sudo nano /etc/fail2ban/jail.local
[memos-auth]
enabled = true
port = http,https
filter = memos-auth
logpath = /var/log/memos/access.log
maxretry = 5
bantime = 3600
findtime = 600

Security Scanning

Vulnerability Scanning

# Nmap security scan
nmap -sV -sC -O target_ip

# OpenVAS vulnerability scan
openvas-cli -h target_ip

# Docker security scanning
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  --name Anchore anchore/grype:latest \
  neosmemo/memos:stable

Dependency Scanning

# Check for known vulnerabilities
npm audit
go mod verify

# OWASP Dependency Check
dependency-check --project memos --scan /path/to/memos

Incident Response

Security Incident Procedures

Immediate Response

  1. Identify the incident scope and impact
  2. Isolate affected systems to prevent spread
  3. Preserve evidence for forensic analysis
  4. Notify stakeholders according to policy
  5. Begin containment and remediation

Evidence Collection

# System snapshots
sudo dd if=/dev/sda of=/backup/system_snapshot.img

# Memory dump
sudo cat /proc/kcore > /backup/memory_dump.img

# Network logs
sudo tcpdump -w /backup/network_capture.pcap

# Application logs
cp /var/log/memos/* /backup/incident_logs/

Recovery Procedures

# Backup current state
sudo systemctl stop memos
tar -czf /backup/pre_recovery_$(date +%Y%m%d).tar.gz /var/opt/memos

# Restore from clean backup
sudo rm -rf /var/opt/memos/*
sudo tar -xzf /backup/clean_backup.tar.gz -C /var/opt/memos

# Update and restart
sudo systemctl start memos
sudo systemctl status memos

Security Best Practices Checklist

Pre-Deployment

  • Security requirements defined and documented
  • Threat modeling completed
  • Security architecture reviewed
  • Penetration testing performed
  • Compliance requirements verified

Deployment

  • HTTPS/TLS properly configured
  • Strong passwords enforced
  • MFA enabled for administrators
  • Firewall rules configured
  • Rate limiting implemented
  • Security headers configured
  • Database encryption enabled
  • Backup encryption configured

Post-Deployment

  • Security monitoring active
  • Audit logging enabled
  • Vulnerability scanning scheduled
  • Incident response plan tested
  • Security updates automated
  • Regular security reviews scheduled

Ongoing Maintenance

  • Regular security audits
  • Dependency updates
  • Configuration reviews
  • Access reviews
  • Log analysis
  • Backup testing

Security Notice: Security is an ongoing process, not a one-time configuration. Regularly review and update your security posture as threats evolve.

Compliance Considerations

GDPR Compliance

  • Data minimization: Only collect necessary data
  • Consent management: Explicit user consent
  • Right to be forgotten: Data deletion capabilities
  • Data portability: Export user data
  • Privacy by design: Built-in privacy controls

SOC 2 Compliance

  • Access controls: Role-based permissions
  • Encryption: Data at rest and in transit
  • Monitoring: Comprehensive audit logs
  • Incident response: Documented procedures
  • Vendor management: Third-party security reviews

Next Steps

Need help with security configuration? Consult with security professionals and check our troubleshooting guide for common security issues.

Authentication Configuration

Configure authentication methods including SSO, LDAP, and OAuth providers for your Memos instance.

Integrations

Connect Memos with third-party services and tools.