Universal Security Fundamentals
These security configurations apply to all Infisical deployments regardless of how you deploy.Cryptographic Security
Generate Secure Keys
Generate strong cryptographic keys for your deployment:Configure Token Lifetimes
Minimize exposure window for compromised tokens:Network Security
TLS Configuration
Configure HTTPS and secure database connections:Redis Security
Use authentication and TLS for Redis:Network Access Controls
Configure network restrictions and firewall rules:Server-Side Request Forgery (SSRF) Protection
Outbound requests to user-configured destinations (App Connections, Webhooks, Audit Log Streams, Dynamic Secrets, PKI Discovery, and similar) run through an SSRF-safe HTTP client that validates the destination and pins the connection to the validated IP. Keep these controls in mind when hardening egress: Reaching private resources: prefer the Gateway. To integrate with services on an internal/private network, deploy the Gateway rather than opening internal IP ranges on the Infisical instance. The Gateway runs inside your network and tunnels traffic over an mTLS connection, so no internal IP allowlisting is required and SSRF protection on the instance stays fully enabled. Opening internal IPs: scope it as narrowly as possible. For the features that egress directly (without a Gateway), private-IP access is disabled by default. When you must allow it, prefer the per-feature flags over the global switch, and understand that enabling any of these also disables DNS-rebinding pin protection for that path:SAFE_REQUEST_FORCE_DIRECT_EGRESS so requests
cannot be routed through an ambient HTTP_PROXY / HTTPS_PROXY that would
re-resolve the target and bypass the validated-IP pin. It is false by default
(Infisical Cloud enables it through its own deployment configuration); set it
explicitly for hardened self-hosted deployments that do not use an egress proxy:
- Required ports: Infisical API (8080) and HTTPS (if applicable)
- Database access: Restrict PostgreSQL and Redis to authorized sources only
- Principle: Default deny incoming, allow only required traffic
- Implementation: See your deployment-specific section below for exact configuration
Application Security
Site Configuration
Set proper site URL for your Infisical instance:Public Signups Are Disabled After Admin Setup
On a self-hosted instance, self-service signups are disabled by default once the first super admin account is created. No configuration is required to get this hardened default. You can still invite users to your organization, and to provision additional users, prefer organization invitations over public signup. If you operate a trusted, internal instance and deliberately want open signups, re-enable them from the Admin Console → Authentication settings by setting Allow user signups to Anyone. The same control lets you disable signups again at any time.This hardened default applies to new installations only. It takes effect
when the first super admin account is created, so an instance that was already
initialized before upgrading keeps its existing Allow user signups setting
(open by default). If you run an existing self-hosted instance, verify this in
Admin Console → Authentication and set Allow user signups to
Disabled if you want the hardened behavior.
SMTP Security
Use TLS for email communications:Privacy Configuration
Control telemetry and data collection:Database Security
High Availability Configuration
Configure database read replicas for high availability PostgreSQL setups:Operational Security
User Access Management
Establish user off-boarding procedures. Remove access promptly when users leave:- Remove user from organization
- Revoke active service tokens
- Remove from external identity providers
- Audit access logs for the user’s activity
- Rotate any shared secrets the user had access to
Maintenance and Updates
Keep frequent upgrade cadence. Regularly update to the latest Infisical version for your deployment method.Deployment-Specific Hardening
Docker Deployment
These recommendations are specific to Docker deployments of Infisical.Container Security
Use read-only root filesystems. Prevent runtime modifications while allowing necessary temporary access:- Secret scanning operations
- SSH certificate generation and validation
--tmpfs mounts provide secure, isolated temporary storage that is:
- Automatically cleaned up on container restart
- Limited in size to prevent disk exhaustion
- Isolated from the host system
- Wiped on container removal
latest tags in production:
Resource Management
Set resource limits. Prevent resource exhaustion attacks:Health Monitoring
Configure health checks. Set up Docker health checks:Network Security
Host firewall configuration. Configure host-level firewall for Docker deployments:Maintenance
Regular updates. Monitor Docker Hub for new releases and update your image tags regularly.Kubernetes Deployment
These recommendations are specific to Kubernetes deployments of Infisical.Pod Security
Use Pod Security Standards. Apply restricted security profile:Network Security
Configure network policies. Restrict pod-to-pod communication:- Allow ingress from load balancer to NodePort/ClusterIP service
- Allow egress to managed databases
- Block all other traffic
- Ingress traffic from ingress controllers
- Egress traffic to external services (databases, SMTP)
Access Control
Use dedicated service accounts. Create service accounts with minimal permissions:Ingress Security
Configure ingress with TLS. Set up secure ingress:Secret Management
Use Kubernetes secrets. Store sensitive configuration securely:- Enable etcd encryption at rest to protect secrets stored in the cluster
- Limit access to etcd and Kubernetes API to only trusted administrators
Health Monitoring
Set up health checks. Configure readiness and liveness probes:Infrastructure Considerations
Use managed databases (if possible). For production deployments, consider using managed PostgreSQL and Redis services instead of in-cluster instances when feasible, as they typically provide better security, backup, and maintenance capabilities.Maintenance
Regular updates. Monitor Docker Hub for new releases and update your deployment manifests with new image tags regularly.Linux Package (infisical-ctl) Deployment
These recommendations are specific to deployments using the Infisical Linux package, which is managed by theinfisical-ctl CLI tool.
Built-in Security Features
The Infisical Linux package (omnibus) includes several security measures out of the box:- Privilege dropping: The package uses
chpstto automatically drop the running application process fromrootto the dedicatedinfisicaluser. You do not need to configure this manually. - Service supervision: Services are managed by
runsvdir, which provides automatic process supervision and restart. - Structured directories: Application files, data, and logs are organized under standard paths (
/opt/infisical-core,/var/opt/infisical-core,/var/log/infisical-core).
systemd Hardening
Theinfisical-core package ships a systemd unit (infisical-runsvdir.service) that starts the runsvdir process supervisor. You can apply additional hardening using a systemd drop-in override without modifying the original unit file:
Configuration Security
Secure the configuration file. Theinfisical.rb file contains sensitive credentials and should be properly protected:
File Permissions
Verify directory permissions. Ensure proper ownership on application directories:System Security
Disable memory swapping. Prevent sensitive data from being written to disk:Network Security
Host firewall configuration. Configure comprehensive firewall for Linux package deployments:Health Monitoring
Monitor service health. Useinfisical-ctl to monitor the service:
Maintenance
Regular updates. Monitor Infisical releases for new package versions. Update using your package manager:Enterprise Security Features
Hardware Security Module (HSM) Integration
For the highest level of encryption security, integrate with Hardware Security Modules: HSM integration provides hardware-protected encryption keys stored on tamper-proof devices, offering superior security for encryption operations:- Supported HSM Providers: Thales Luna Cloud HSM, AWS CloudHSM, Fortanix HSM
- Root Key Protection: HSM encrypts Infisical’s root encryption keys using hardware-protected keys
- Enterprise Requirements: Ideal for government, financial, and healthcare organizations
External Key Management Service (KMS) Integration
Leverage cloud-native KMS providers for enhanced security and compliance: Infisical can integrate with external KMS providers to encrypt project secrets, providing enterprise-grade key management:- Supported Providers: AWS KMS, Google Cloud KMS, Azure Key Vault (coming soon)
- Workspace Key Protection: Each project’s encryption key is protected by your external KMS
- Envelope Encryption: Infisical uses your cloud KMS to encrypt/decrypt project workspace keys, which in turn encrypt the actual secret data
- Compliance: Leverage your cloud provider’s compliance certifications (FedRAMP, SOC2, ISO 27001)
Benefits for Production Deployments
- Separation of Concerns: Keys managed in your cloud infrastructure, separate from Infisical
- Regulatory Compliance: Use your existing compliance-certified KMS infrastructure
- Audit Integration: KMS operations logged in your cloud provider’s audit trails
- Disaster Recovery: Keys backed by your cloud provider’s HA and backup systems
- Access Controls: Leverage your cloud IAM for KMS access management
Configuration Resources
For external KMS configuration, see:Advanced Security Configurations
Backup Security
Configure backup encryption. Encrypt PostgreSQL backups:Monitoring and Logging
Implement log monitoring. Set up centralized logging for security analysis and audit trails. Configure your SIEM or logging platform to monitor Infisical operations.Security Updates
Regular security updates. Monitor the Infisical repository for security updates and apply them promptly.Compliance and Monitoring
Enterprise Compliance Requirements
For enterprise deployments requiring compliance certifications:- Implement audit log retention policies
- Set up security event monitoring and alerting
- Configure automated vulnerability scanning
- Establish incident response procedures
- Document security controls for compliance audits