Our security recommendations


  • Make sure to follow common security guidelines - see PHP the right way.
  • Mind the OWASP Cheat Sheets to negate attacks before they can start.
  • Best practice for security and portability is to store secrets like database password not with code but with our App Secrets or ENV vars (as long as they are not exposed as well).
  • Don't store sensitive information in plain text in the database, use ciphertext.


  • The password to login with the fortrabbit Dashboard must be secure.
    • Use a password manager or a long pass-phrase.
    • Don't share your Account password, use our collaboration features instead.
  • Enable two-factor authentication (2FA) with your fortrabbit Account.
  • Use SSH key authentication to access code instead of username+password
  • Rotate internal passwords via the Dashboard for your App:
    • MySQL database
    • Object storage
    • When company members leave
  • Go over the list of imported SSH public keys periodically and keep only those being used.

Further reading

Craft CMS

Install guides

Develop & deploy





Tips & tricks

Need individual help?
Learn about Company plans ›
Looking for an old article?
See the full list of articles ›
Found an error?
Contribute on GitHub ›