Directus Security Review Document [Quick Checklist]? #534
Description
Its my first Directus project and i'm going through it so I've put this together from what i've done so far.
I dont know if it will help others, but something like this as a living document could have been useful for me, maybe others?
What important things do you see that I missed and what did i got wrong? thank you 🙏
Directus Security Review
✅ Quick Checklist
- CVE updates: Latest Directus Version Check
- All critical env vars verified
- Infrastructure security configured (rate limiting, HSTS, CORS)
- Session security configured (secure cookies, timeouts)
- Password security configured (Argon2, 2FA, complexity)
- Access control roles defined (admin, editor, user, public)
- Directus flows audited (emitEvents, $full permissions, error handling)
- Frontend app security verified (input validation, XSS protection)
- Security testing completed (infrastructure tests, penetration testing)
- Compliance & documentation complete (policies, incident response)
Links
Access Control
Manage user and role permissions and policies for interacting with data in Directus.
Security & Limits
Configuration for access tokens, cookies, CSP, hashing, CORS, rate limiting, and request limits.
Security Best Practices Conversation
Discussion on GitHub around Security Best Practices Guide
Reporting Security Vulnerabilities
Report security vulnerabilities to the Directus team.
🔧 Directus Environment Variables
# Critical
SECRET="[see 🔐 Generate Secret]"
PUBLIC_URL="https://directus.url"
# Authentication
ACCESS_TOKEN_TTL="15m"
REFRESH_TOKEN_TTL="7d"
SESSION_COOKIE_SECURE="true"
# Rate Limiting
RATE_LIMITER_ENABLED="true"
RATE_LIMITER_POINTS="25"
RATE_LIMITER_DURATION="1"
RATE_LIMITER_STORE="memory"
# CORS
CORS_ENABLED="true"
CORS_ORIGIN="https://your-app.url"
CORS_CREDENTIALS="true"
# Security Headers
HSTS_ENABLED="true"🔐 Generate Secret
PowerShell:
[Convert]::ToBase64String((1..32 | ForEach-Object { Get-Random -Minimum 0 -Maximum 256 }))Bash:
openssl rand -base64 32🧪 Testing
Rate Limiting (should see 429 after ~25 requests):
for i in {1..30}; do
curl -i https://directus.url/auth/login \
-X POST -H "Content-Type: application/json" \
-d '{"email":"[email protected]","password":"wrong"}' | grep -E "HTTP|429"
sleep 0.2
doneServer Test:
https://www.ssllabs.com/
HSTS + Security Headers:
https://securityheaders.com/
CORS Test:
https://cors-test.codehappy.dev/
📋 Remaining Tasks
Password + Login Security (Directus Admin Dashboard Config)
- Argon2 hashing enabled (Directus default)
- Minimum password length enforced (8+ chars)
- Password complexity requirements
- 2FA Enabled
Access Control / Role Configurations
- Define administrator role (limited to < 3 users)
- Define content manager role (Editor)
- Define authenticated user role (User)
- Configure public role with minimal permissions
System Collections
- System collections protected (directus_flows, directus_settings, etc.)
- Admin-only access configured (flows, settings, permissions, webhooks)
- Users collection properly secured
- Activity logs protected
- Sessions restricted (users see own only)
Field Permissions
- Protected fields (vote_count, etc.) read-only for users
- System fields (date_created, etc.) not editable
- Sensitive fields hidden from public
Session Configuration
- Session timeout < 24 hours
- Inactive timeout < 30 minutes
- SameSite cookie attribute configured
- Session timeouts tested
Directus Flows Security
- All flows audited and documented
-
emitEvents: falseon data modification flows -
$fullpermissions usage audited - Blocking flow triggers reviewed
- User input sanitized in flows
- Webhook flows don't leak sensitive data
- Flow error handling implemented
Frontend App Security
- Input validation on all user inputs
- Output encoding (XSS prevention)
- API request validation and sanitization
Pen Testing
- Run security scan (OWASP ZAP / Burp Suite / Nessus)
Compliance & Documentation
Documentation
- Architecture diagram current
- Security procedures documented
- Incident response plan accessible
Compliance
- GDPR requirements met
- PCI DSS requirements met
- SOC 2 controls implemented
- Privacy policy published
- Terms of service published