Security Hardening

HTTPS

Always serve OJS over HTTPS. Obtain a free certificate from Let's Encrypt:

certbot --nginx -d yoursite.com -d www.yoursite.com

Set force_ssl = On in config.inc.php to redirect all HTTP traffic.

File Permissions

# Application files — readable by web server, not writable
chown -R www-data:www-data /var/www/html/ojs
find /var/www/html/ojs -type d -exec chmod 755 {} \;
find /var/www/html/ojs -type f -exec chmod 644 {} \;

# Files directory — writable by web server, outside webroot
chown -R www-data:www-data /var/www/ojs-files
chmod -R 755 /var/www/ojs-files

Protect `config.inc.php`

location ~* config\.inc\.php { deny all; return 404; }

Content Security Policy (CSP) Headers

Add to your Nginx config:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Rate Limiting (Nginx)

limit_req_zone $binary_remote_addr zone=ojs_login:10m rate=5r/m;

location /index.php/index/login {
    limit_req zone=ojs_login burst=3 nodelay;
}

Regular Updates

Subscribe to PKP security announcements
Apply security patches promptly
Keep PHP, MySQL/PostgreSQL, and OS packages updated

API Key Security

If using the OJS REST API:

Issue API keys only to trusted integrations
Revoke unused keys via Administration → API Keys
Use HTTPS for all API calls

HTTPS​

File Permissions​

Protect config.inc.php​

Content Security Policy (CSP) Headers​

Rate Limiting (Nginx)​

Regular Updates​

API Key Security​

Further Reading​

HTTPS

File Permissions

Protect `config.inc.php`

Content Security Policy (CSP) Headers

Rate Limiting (Nginx)

Regular Updates

API Key Security

Further Reading