Skip to content

Account Security

Use a strong, unique password

Your Strawly password should be unique — do not reuse a password from another service. Use a password manager to generate and store a strong password.

See Passwords for password requirements and how to change your password.

Sign out when you're done

Strawly keeps you logged in via a session token. On shared or untrusted computers, always sign out when you have finished:

  1. Click your avatar or initials in the top-right corner.
  2. Select Sign out.

This invalidates your current session token.

Session behaviour

  • Sessions expire after a period of inactivity (configured by your administrator).
  • Changing your password invalidates all other active sessions, but not the session you used to make the change.
  • If you suspect your account has been accessed without your knowledge, change your password immediately. This logs out all other sessions.

Protect admin accounts

Admin accounts have full access to all data, users, and settings. If you hold an Admin role:

  • Do not share your credentials with anyone. Create separate accounts for other administrators.
  • Log out after each session on shared machines.
  • Change your password immediately if you believe it has been compromised.
  • Review the user list periodically and deactivate accounts that are no longer active.

See Permissions for guidance on keeping Admin access to a minimum.

For administrators: hardening your deployment

Beyond individual account security, protect your Strawly instance at the infrastructure level:

  • Enable HTTPS — never expose Strawly over plain HTTP in production. See Production.
  • Restrict network access — use a firewall or VPN to limit who can reach the Strawly UI and API.
  • Keep Strawly updated — pull the latest images regularly to get security patches. See Updating.
  • Rotate secrets periodically — regenerate JWT_SECRET and CREDENTIALS_ENCRYPTION_KEY and redeploy. This invalidates all existing sessions.
  • Monitor logs — watch for unexpected login attempts or API calls in your container logs.

Reporting a security issue

If you discover a security vulnerability in Strawly, please report it responsibly by emailing security@strawly.app rather than opening a public issue.