Directus Security Review Document [Quick Checklist]?

[bbbjames]

Its my first Directus project and i'm going through it so I've put this together from what i've done so far.

I dont know if it will help others, but something like this as a living document could have been useful for me, maybe others?

What important things do you see that I missed and what did i got wrong? thank you 🙏

Directus Security Review

✅ Quick Checklist

• CVE updates: Latest Directus Version Check
• All critical env vars verified
• Infrastructure security configured (rate limiting, HSTS, CORS)
• Session security configured (secure cookies, timeouts)
• Password security configured (Argon2, 2FA, complexity)
• Access control roles defined (admin, editor, user, public)
• Directus flows audited (emitEvents, $full permissions, error handling)
• Frontend app security verified (input validation, XSS protection)
• Security testing completed (infrastructure tests, penetration testing)
• Compliance & documentation complete (policies, incident response)

---

Links

Access Control
Manage user and role permissions and policies for interacting with data in Directus.

Security & Limits
Configuration for access tokens, cookies, CSP, hashing, CORS, rate limiting, and request limits.

Security Best Practices Conversation
Discussion on GitHub around Security Best Practices Guide

Reporting Security Vulnerabilities
Report security vulnerabilities to the Directus team.

🔧 Directus Environment Variables

# Critical
SECRET="[see 🔐 Generate Secret]"
PUBLIC_URL="https://directus.url"

# Authentication
ACCESS_TOKEN_TTL="15m"
REFRESH_TOKEN_TTL="7d"
SESSION_COOKIE_SECURE="true"

# Rate Limiting
RATE_LIMITER_ENABLED="true"
RATE_LIMITER_POINTS="25"
RATE_LIMITER_DURATION="1"
RATE_LIMITER_STORE="memory"

# CORS
CORS_ENABLED="true"
CORS_ORIGIN="https://your-app.url"
CORS_CREDENTIALS="true"

# Security Headers
HSTS_ENABLED="true"

---

🔐 Generate Secret

PowerShell:

[Convert]::ToBase64String((1..32 | ForEach-Object { Get-Random -Minimum 0 -Maximum 256 }))

Bash:

openssl rand -base64 32

---

🧪 Testing

Rate Limiting (should see 429 after ~25 requests):

for i in {1..30}; do
  curl -i https://directus.url/auth/login \
    -X POST -H "Content-Type: application/json" \
    -d '{"email":"test@test.com","password":"wrong"}' | grep -E "HTTP|429"
  sleep 0.2
done

Server Test:
https://www.ssllabs.com/

HSTS + Security Headers:
https://securityheaders.com/

CORS Test:
https://cors-test.codehappy.dev/

---

📋 Remaining Tasks

Password + Login Security (Directus Admin Dashboard Config)

• Argon2 hashing enabled (Directus default)
• Minimum password length enforced (8+ chars)
• Password complexity requirements
• 2FA Enabled

Access Control / Role Configurations

• Define administrator role (limited to < 3 users)
• Define content manager role (Editor)
• Define authenticated user role (User)
• Configure public role with minimal permissions

System Collections

• System collections protected (directus_flows, directus_settings, etc.)
• Admin-only access configured (flows, settings, permissions, webhooks)
• Users collection properly secured
• Activity logs protected
• Sessions restricted (users see own only)

Field Permissions

• Protected fields (vote_count, etc.) read-only for users
• System fields (date_created, etc.) not editable
• Sensitive fields hidden from public

Session Configuration

• Session timeout < 24 hours
• Inactive timeout < 30 minutes
• SameSite cookie attribute configured
• Session timeouts tested

Directus Flows Security

• All flows audited and documented
• emitEvents: false on data modification flows
• $full permissions usage audited
• Blocking flow triggers reviewed
• User input sanitized in flows
• Webhook flows don't leak sensitive data
• Flow error handling implemented

Frontend App Security

• Input validation on all user inputs
• Output encoding (XSS prevention)
• API request validation and sanitization

Pen Testing

• Run security scan (OWASP ZAP / Burp Suite / Nessus)

Compliance & Documentation

Documentation

• Architecture diagram current
• Security procedures documented
• Incident response plan accessible

Compliance

• GDPR requirements met
• PCI DSS requirements met
• SOC 2 controls implemented
• Privacy policy published
• Terms of service published

[linear]

EDU-505

[bbbjames]

maybe adding a security category to the https://community.directus.io/categories and/or discord channel might work?

after posting this i really felt there must be a better place to have these kinds of conversations

what do you think?