Security Practices
Harden your LibreAuth deployment and client applications.
Server-side
- Always use HTTPS in production
- Enable Require Sign — clients verify Ed25519 signatures
- Enable Anti-Tamper — replay block, IP bind, HWID session lock
- Use Hash Check — whitelist exe MD5 hashes in panel
- Never expose
Application Secretin client binaries - Block
install/after setup exceptupgrade.php - Keep
config.production.phpout of git
Client-side
- Obfuscate API URL, app name, owner ID (VMProtect, Themida, custom XOR)
- Verify response signatures before trusting JSON
- Send exe
hashon init when hash check is enabled - Call
check()periodically to detect session hijack - Do not store license keys in plain text on disk
Panel access
- Change default admin password immediately
- Enable 2FA for seller accounts (panel settings)
- Use team accounts with limited permissions instead of sharing main login
- Seller API keys support IP whitelist — use it
INFO
Full anti-tamper guide: Anti-Tamper · Signature setup: Response Signing