Skip to Content
DocsAdmin GuideSecurity Hardening

Security Hardening

This guide covers key security practices for running Quazzar Cloud OS in production.

Web Application Firewall (WAF)

Cloud OS includes a built-in WAF powered by Coraza, compatible with the OWASP Core Rule Set. The WAF inspects HTTP requests and blocks common attacks like SQL injection, XSS, and path traversal.

  • Detect mode — logs threats without blocking. Use this initially to identify false positives.
  • Block mode — actively blocks matching requests. Recommended for production.

Enable and configure the WAF from the Security section of the Cloud OS dashboard.

Start in detect mode for at least one week to review blocked requests. Switch to block mode once you are confident the rules do not affect legitimate traffic.

Firewall

Restrict network access to only required ports:

PortProtocolPurpose
8080TCPCloud OS dashboard and API
443 / 80TCPHTTPS / HTTP redirect (when proxy is enabled)
51820UDPWireGuard VPN (when enabled)
22TCPSSH (restrict to management IPs)

Use your firewall tool (UFW, iptables, cloud security groups) to deny all other incoming traffic.

TLS / HTTPS

When the built-in Caddy reverse proxy is enabled, Cloud OS automatically provisions Let’s Encrypt certificates with strong TLS defaults (TLS 1.2+, HSTS headers, automatic renewal).

For custom certificates (e.g., internal CA), place them in the Cloud OS certificates directory. Cloud OS will use them instead of provisioning from Let’s Encrypt.

Two-Factor Authentication

Enable TOTP-based two-factor authentication for the admin account from the Profile page. This is strongly recommended for any internet-facing instance.

Security Scanning

Cloud OS includes a built-in security scanner accessible from the dashboard. It checks:

  • TLS configuration and certificate validity
  • Security header presence (HSTS, CSP, X-Frame-Options)
  • Authentication settings (2FA, password strength)
  • Software update status
  • Backup encryption status

The scanner produces a security score (0-100) with category breakdowns and remediation guidance for each finding.

Hardening Checklist

  • Enable HTTPS (built-in proxy or external)
  • Enable WAF in block mode
  • Configure firewall to restrict ports
  • Enable TOTP two-factor authentication
  • Configure encrypted backups with off-site storage
  • Run a security scan and address critical findings
  • Restrict SSH access to management IPs
  • Set log level to info in production

Tips

  • Run security scans regularly and after configuration changes.
  • Track the security score over time as a KPI.
  • Subscribe to security finding webhooks for automated alerting.
  • Keep Cloud OS updated for security patches.
ConfigurationBackup Strategy