Security Overview
SlimRMM was built from the ground up with security as a primary focus.
Security Architecture
Defense in Depth
SlimRMM implements multiple layers of security:
┌─────────────────────────────────────────────────────────────┐
│ Network Security │
│ ┌───────────────────────────────────────────────────────┐ │
│ │ TLS 1.3 Encryption │ │
│ │ ┌─────────────────────────────────────────────────┐ │ │
│ │ │ Rate Limiting │ │ │
│ │ │ ┌─────────────────────────────────────────┐ │ │ │
│ │ │ │ Authentication │ │ │ │
│ │ │ │ ┌─────────────────────────────────┐ │ │ │ │
│ │ │ │ │ Authorization │ │ │ │ │
│ │ │ │ │ ┌─────────────────────────┐ │ │ │ │ │
│ │ │ │ │ │ Audit Logging │ │ │ │ │ │
│ │ │ │ │ │ ┌─────────────────┐ │ │ │ │ │ │
│ │ │ │ │ │ │ Your Data │ │ │ │ │ │ │
│ │ │ │ │ │ └─────────────────┘ │ │ │ │ │ │
│ │ │ │ │ └─────────────────────────┘ │ │ │ │ │
│ │ │ │ └─────────────────────────────────┘ │ │ │ │
│ │ │ └─────────────────────────────────────────┘ │ │ │
│ │ └─────────────────────────────────────────────────┘ │ │
│ └───────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘Key Security Features
User Authentication
- JWT Tokens with short expiration (15 min default)
- Argon2 Password Hashing - Winner of Password Hashing Competition
- MFA Support - TOTP and WebAuthn
- Account Lockout - After failed attempts
- Session Management - Token revocation
Agent Authentication
- mTLS (Mutual TLS) - Both sides authenticate
- CA-Signed Certificates - Centrally managed PKI
- Certificate Pinning - Optional additional validation
- Automatic Renewal - Before expiration
Authorization
- Role-Based Access Control (RBAC) - Granular permissions
- Folder-Level Access - Limit visibility
- Per-Endpoint Checks - Every request verified
- Principle of Least Privilege - Minimal access by default
Data Security
- Encryption in Transit - TLS 1.3 for all connections
- Encryption at Rest - Optional database encryption
- No Telemetry - Zero data sent externally
- Data Isolation - Each instance is standalone
Network Security
- Rate Limiting - Prevent abuse
- IP Blocking - Block malicious IPs
- CORS Protection - Restrict origins
- Security Headers - HSTS, CSP, X-Frame-Options
Audit & Compliance
- Comprehensive Logging - All actions recorded
- User Attribution - Who did what, when
- IP Tracking - Request origin logging
- Retention Policies - Configurable log retention
Compliance
GDPR Ready
- Data stays in your infrastructure
- No data transfer to third parties
- User consent management
- Data export capabilities
- Right to deletion support
TISAX Preparation
- Self-hosted deployment option
- Comprehensive audit logging
- Access control and RBAC
- Encryption standards
- Documentation available
ISO 27001 Alignment
- Risk-based security approach
- Access control procedures
- Incident response support
- Regular security updates
- Security documentation
Security Best Practices
Installation
- [ ] Generate unique SECRET_KEY
- [ ] Use strong database passwords
- [ ] Enable HTTPS with valid certificate
- [ ] Restrict CORS origins
- [ ] Configure firewall rules
Operations
- [ ] Enable MFA for admin accounts
- [ ] Regular security updates
- [ ] Monitor audit logs
- [ ] Review user access periodically
- [ ] Backup encryption keys
Network
- [ ] Use reverse proxy (Nginx/Caddy)
- [ ] Implement rate limiting
- [ ] Configure IP allowlisting
- [ ] Enable security headers
- [ ] Monitor for anomalies
Vulnerability Disclosure
If you discover a security vulnerability, please report it responsibly:
- Email: security@kiefer-networks.de
- Include: Description, steps to reproduce, impact
- Do Not: Publicly disclose before patched
We aim to respond within 48 hours and patch critical issues within 7 days.
Security Updates
Security updates are released as needed:
- Critical: Immediate release
- High: Within 7 days
- Medium: Next minor release
- Low: Next major release
Subscribe to security announcements via our mailing list.
Next Steps
- Authentication - Detailed auth security
- mTLS - Agent certificate security
- RBAC - Permission system
- Audit Logging - Logging and compliance