Security first

We performed a comprehensive security audit on FortiPanel and identified 29 potential vulnerabilities. This release addresses 19 of them across two focused security sprints.

What’s new

Database Encryption (Critical)

All sensitive fields in the database are now encrypted at rest using AES-128-CBC with HMAC-SHA256. This includes API tokens, passwords, SMTP credentials, and Telegram bot tokens. The encryption is transparent — existing installations are automatically migrated.

Redis Authentication

Redis now requires password authentication. No more unauthenticated access to the cache layer.

Firmware Upload Validation

Uploaded firmware files are now validated for extension (.out, .img, .bin only), file size (500MB max), and content. This prevents potential abuse through the firmware upload endpoint.

Additional hardening

  • Content-Disposition header sanitization to prevent injection attacks
  • SMB credentials are now passed via secure credential files instead of command-line arguments
  • Debug endpoints are disabled in production
  • Branding API now requires admin authentication

Upgrading

If you’re running FortiPanel v1.0, the upgrade is seamless. Pull the latest images and restart:

docker compose pull
docker compose up -d

The database migration runs automatically on startup.

What’s next

Sprint 3 will focus on SSL certificate verification, JWT httpOnly cookies, audit logging improvements, and running containers as non-root users.