This page covers the application-level settings you should review after installation. Pair these with the broader infrastructure guidance in Best Practices.
Configuration Options
Section titled “Configuration Options”These settings live in your config.php file and control FOSSBilling's built-in security behavior.
Security Options
Section titled “Security Options”| Property | Default | Options | Description |
|---|---|---|---|
mode | strict | strict or regular | In strict mode, cookies use SameSite=Strict and HttpOnly. regular mode uses default cookie properties but still sets HttpOnly. |
force_https | true | bool | When enabled, FOSSBilling redirects all requests to HTTPS and forces cookies to be sent only over secure connections. |
session_lifespan | 7200 | int | How long sessions remain valid (in seconds). Default is 2 hours. After this, sessions expire and are destroyed. |
'security' => [ 'mode' => 'strict', 'force_https' => true, 'session_lifespan' => 7200,],API Security
Section titled “API Security”| Property | Default | Options | Description |
|---|---|---|---|
CSRFPrevention | true | bool | Enables CSRF protection. Keep this enabled unless it's causing specific issues. |
'api' => [ 'CSRFPrevention' => true,],Cloudflare
Section titled “Cloudflare”If you're using Cloudflare, enable IP Geolocation under your site's Network settings. This allows FOSSBilling to use the visitor's country information to strengthen some session checks.
Reverse Proxies
Section titled “Reverse Proxies”HTTPS Detection
Section titled “HTTPS Detection”Reverse proxies often make FOSSBilling think it is being accessed over HTTP even when the visitor is using HTTPS. To avoid that, make sure your proxy forwards X-Forwarded-Proto: https.
Trusted Proxies
Section titled “Trusted Proxies”If you are running behind a reverse proxy, review any trusted-proxy settings in your deployment as well so request metadata is interpreted correctly.