PanelConfig
Documentation / Security / Securing your PanelConfig installation

Securing your PanelConfig installation

The security controls built into PanelConfig and the settings worth reviewing right after installation.

PanelConfig is built so that the secure path is the default path. This guide covers the protections already in place and the few things worth checking after you install.

Built-in protections

  • CSRF tokens on every state-changing form in PCAdmin and PCUser.
  • Prepared statements for every database query, so user input is never concatenated into SQL.
  • Rate-limited authentication with every attempt recorded in login history.
  • An append-only audit log capturing administrative actions with actor, action, status, and timestamp.
  • An installation lock that prevents the installer from being re-run over live data.

The Security Center

PCAdmin includes a Security Center for firewall rules, WAF rules, IP blocks, and malware scan results. Server-level enforcement is applied through queued jobs that the allowlisted worker executes — the web interface never runs shell commands directly.

After you install

  1. Confirm the installation lock is present (storage/install.lock).
  2. Review which users hold administrative roles under PCAdmin → Users.
  3. Issue scoped API tokens rather than sharing a single broad token.
  4. Check login history and the audit log periodically for unexpected activity.
Treat API tokens like passwords: they are shown once, stored only as a hash, and can be revoked instantly in PCAdmin.
← Reading audit logs and login history