Security hardening
Steps to harden a Tether installation before exposing it to the internet. Most of these take under 5 minutes and significantly reduce your attack surface.
Pre-production security checklist
- ✅ Change the default admin password immediately after first login
- ✅ Set a real
SECRET_KEY— generate withpython3 -c "import secrets; print(secrets.token_hex(32))" - ✅ Use HTTPS — see Reverse proxy & HTTPS
- ✅ Use strong database passwords — not
tetherorchangeme - ✅ Do not expose MariaDB port 3306 to the internet — it should only be accessible from localhost or the Docker internal network
- ✅ Set up a firewall — only ports 80 and 443 should be open to the internet
- ✅ Keep Tether updated — security fixes are released regularly
JWT tokens
Login sessions are JWT tokens signed with SECRET_KEY. Tokens are valid for
7 days. If you suspect a token has been compromised:
- Rotate
SECRET_KEY— this immediately invalidates all existing tokens site-wide, forcing all users to log in again - Or deactivate the specific user account in the Users admin panel
When you change SECRET_KEY and restart Tether, every logged-in session is immediately invalidated. All users must log in again. Notify your team before doing this.
Database security
For MariaDB in bare-metal deployments:
bash# Do not allow root login from outside localhost sudo mysql -e "DELETE FROM mysql.user WHERE User='root' AND Host != 'localhost'; FLUSH PRIVILEGES;" # Verify no anonymous users exist sudo mysql -e "SELECT User, Host FROM mysql.user WHERE User='';"
If running MariaDB with Docker, the container's 3306 port is not mapped to the host and is only accessible to the tether-app container — this is correct and secure by default.
Firewall
Allow only ports 80, 443, and your SSH port. Block everything else:
bash# Using ufw sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow ssh sudo ufw allow 80 sudo ufw allow 443 sudo ufw enable # Verify sudo ufw status
Running sudo ufw enable without allowing your SSH port will lock you out of the server.
Security headers
Add these to your nginx config to enable browser security features:
nginx# In your server block add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; add_header Referrer-Policy strict-origin-when-cross-origin;
Keeping Tether updated
Subscribe to GitHub release notifications to be notified of security patches:
- Go to github.com/atechlab-am/tether
- Click Watch → Custom → Releases
When a security release is published, apply it promptly. See Upgrading.
Reporting vulnerabilities
If you discover a security vulnerability in Tether, please email [email protected] rather than opening a public GitHub issue. We respond to security reports within 24 hours.