Rocket.Chat is a communications platform designed with a deep understanding of its users' need for strong security, data protection, and privacy controls. It provides a comprehensive set of security features and customizable configurations to safeguard workspaces against potential threats. These security controls allow administrators to fine-tune the platform to meet specific organizational requirements, ensuring that sensitive information remains protected. The following guidelines help administrators understand and configure the main security features of Rocket.Chat.
Avatar Access
Rocket.Chat allows administrators to decide whether users’ avatars will be available for unauthenticated users or not under the accounts settings. If administrators believe that there’s no reason for them to allow access to users’ avatars to unauthenticated users, they should block it.
In the latest versions of Rocket.Chat, avatar access to unauthenticated users is disabled by default.
Content Security Policy (CSP)
A Content Security Policy (CSP) is a security feature that helps prevent cross-site scripting (XSS) attacks by controlling which resources can be loaded by the Rocket.Chat web client. By defining a strict CSP, administrators can limit the execution of malicious scripts or the loading of resources from untrusted domains. It's important to configure CSP headers to only allow trusted sources for scripts, styles, and other resources.
Workspace administrators can configure the Content Security Policy (CSP) to allow scripts from external domains when necessary. However, caution is required to avoid introducing security risks. For instance, allowing scripts from domains like github.com can be dangerous, as anyone can upload potentially malicious code to GitHub repositories, making it easy to circumvent CSP protections. To mitigate this, administrators should carefully select and limit the domains they trust to minimize vulnerabilities.
Lastly, disabling CSP entirely exposes Rocket.Chat to significant security risks and is strongly advised against.
Cross-Origin Resource Sharing (CORS)
CORS (Cross-Origin Resource Sharing) enables websites to communicate with Rocket.Chat workspaces by allowing them to send requests and access the responses. For workspaces that don't require interaction from external websites, CORS should remain disabled for security reasons. If enabling CORS is necessary, it should be configured to permit only specific, trusted domains. Using wildcards (*) or null values in CORS settings is especially risky and should be avoided.
Data In Transit Encryption (TLS)
Rocket.Chat is designed to be a robust middle-tier application server. While it doesn't handle SSL directly, it seamlessly integrates with trusted and high-performance reverse proxy servers like Nginx. By configuring one of these servers, you can effectively manage SSL for your Rocket.Chat instance, ensuring secure and reliable communication.
When setting up a reverse proxy in front of your Rocket.Chat server, you must configure Rocket.Chat to use the correct clientAddress. The rate limiter and other features may not function properly if this is not done. Set HTTP_FORWARDED_COUNT environment variable to the correct number of proxies in front of Rocket.Chat - by default, it is set to 1.
Additionally, ensure that your proxies and load balancers ignore the X-Real-Ip header when making requests from end users. Rocket.Chat prioritizes the X-Real-Ip header when determining the clientAddress. Misconfigured proxies could allow users to bypass rate limiting and other security measures.
Data Loss Prevention (DLP)
Data Loss Prevention (DLP) is a security mechanism designed to ensure that sensitive data is not improperly shared, misused, lost, or accessed by unauthorized individuals.
Rocket.Chat’s DLP app provides several features to prevent data loss, including restricting access to sensitive information, monitoring data transfers, and detecting or blocking potentially harmful activities.
For example, if sensitive information like credit card numbers, phone numbers, or IP addresses is shared in a Rocket.Chat room, the DLP app can help prevent or limit such exchanges.
To enable DLP in your workspace, the administrator must install and configure the DLP app from the Rocket.Chat marketplace.
EXIF Metadata
Pictures and images may contain sensitive information in the metadata format - such as geolocation and information about the device that took the picture. If administrators believe there are no use cases for images and pictures being uploaded with metadata, EXIF metadata removal should be enabled.
In the latest versions of Rocket.Chat, metadata removal is enabled by default.
File Upload
File uploads are critical for many organizations, but they also introduce potential security risks that must be carefully managed. If an administrator determines that file uploads are unnecessary for their workspace, it’s best practice to disable the feature entirely to reduce exposure to these risks.
For workspaces where file uploads are needed, the following settings are recommended to enhance security:
Set File Size Limits: Prevent users from uploading excessively large files that could consume valuable storage space or slow down system performance.
Restrict File Types: Only allow necessary file formats to be uploaded. Block potentially dangerous file types such as .exe, .sh, .js, and others that could contain malicious code.
Limit File Access: If unauthenticated users don’t need access to file uploads, configure Rocket.Chat to block their file access, ensuring that only authorized users can view or download shared files.
Detailed instructions for configuring file uploads are available here.
Password Policy
Implementing a password policy sufficiently complex prevents your users from setting easy-to-guess passwords that attackers can leverage.
Rocket.Chat allows administrators to configure password policies as they see fit. We recommend the following settings:
At least 12 characters
Lowercase letters
Uppercase letters
Numbers
Symbols
Principle of Least Privilege
Rocket.Chat has a large list of permissions that can be configured. However, providing users with more privileges than they need to do their jobs or granting them dangerous permissions that could lead to admin access must be a concern.
Administrators should follow the Principle of Least Privilege (POLP) to minimize potential security risks. This means that users should only be granted the minimum level of access necessary to perform their tasks. Administrators should regularly audit user roles and permissions to ensure no user has more access than required. Some recommendations include:
Assigning roles based on job responsibilities
Limiting administrative access to only trusted personnel
Regularly review and update user access rights, especially when roles change or users leave the organization.
Retention Policy
The retention policy in Rocket.Chat allows you to automatically delete old messages and files in your workspace based on custom rules. If you prefer not to keep messages or files indefinitely, you can enable the retention policy to remove them automatically after a specified period.
Retention policies can be applied globally across all rooms or customized room-by-room. For example, you might choose to delete messages older than 30 days in casual chat rooms while keeping project discussions for six months.
Two-Factor Authentication (2FA)
2FA is a powerful security measure that adds an extra layer of protection to user accounts in Rocket.Chat. By requiring a password and a second verification method, 2FA helps prevent unauthorized access, even if a user's password is compromised. This additional step significantly enhances the security of your Rocket.Chat workspace, making it much more difficult for attackers to gain access to sensitive data or conversations.
2FA in Rocket.Chat can either be:
Email 2FA
TOTP (Authenticator) 2FA.
As a security best practice, workspace administrators should ensure that 2FA is enabled on their workspaces. Disabling it may expose your workspace to significant security risks.