What Is the Database Manager?
The Odoo database manager (/web/database/manager) allows unauthenticated users to: create new databases, duplicate databases, delete databases, backup databases, and restore databases. In production, this is a critical security risk if left accessible.
The Risk
# Anyone who can reach /web/database/manager can:
# 1. Create a new database (consume server resources)
# 2. Duplicate your production database (steal all data)
# 3. Delete your production database (destroy everything)
# 4. Download a backup (steal all data + passwords)
# 5. Restore a different database (replace your data)
# The only protection is the "master password" which:
# - Defaults to "admin" (!!)
# - Is stored in plaintext in odoo.conf
# - Is often left as defaultFix 1: Disable Database Listing (Minimum)
# odoo.conf:
list_db = False
# This hides the database selector on the login page
# But the database manager is still accessible!Fix 2: Set Strong Master Password
# odoo.conf:
admin_passwd = $(python3 -c "import secrets; print(secrets.token_hex(32))")
# Generate a strong random password:
python3 -c "import secrets; print(secrets.token_hex(32))"
# Example output: a4f8c9d2e1b3a5f7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1
# Store it securely (not just in odoo.conf)
# Keep a copy in your password managerFix 3: Block in nginx (Recommended)
# Add to your nginx config BEFORE the location / block:
# Block database manager completely
location /web/database {
deny all;
return 404;
}
# Also block database selector API
location /web/database/selector {
deny all;
return 404;
}
location /web/database/create {
deny all;
return 404;
}
location /web/database/drop {
deny all;
return 404;
}
location /web/database/duplicate {
deny all;
return 404;
}
location /web/database/backup {
deny all;
return 404;
}
location /web/database/restore {
deny all;
return 404;
}
# Simpler alternative — block all /web/database paths:
location ~ ^/web/database {
deny all;
return 404;
}Fix 4: Block in Cloudflare WAF
# If using Cloudflare:
# Security → WAF → Create Rule
# Expression: (http.request.uri.path contains "/web/database")
# Action: Block
# This blocks access before it even reaches your serverFix 5: Use dbfilter
# Restrict which databases Odoo serves:
# odoo.conf:
dbfilter = ^production$
# Only the database named "production" will be accessible
# All other database operations are blockedFix 6: Firewall Rules
# If you need database manager access for admin tasks,
# allow only from specific IPs:
# nginx:
location ~ ^/web/database {
allow 203.0.113.50; # Office IP
allow 10.0.0.0/8; # VPN
deny all;
}
# Or: only access database manager via SSH tunnel:
ssh -L 8069:localhost:8069 user@server
# Then access http://localhost:8069/web/database/managerComplete Production Security Checklist
# odoo.conf:
admin_passwd = very_long_random_string_here
list_db = False
dbfilter = ^production$
proxy_mode = True
# nginx:
location ~ ^/web/database {
deny all;
return 404;
}
# Cloudflare (if used):
# WAF rule blocking /web/databaseTesting
# Verify database manager is blocked:
curl -I https://your-domain.com/web/database/manager
# Should return: 404 Not Found
curl -I https://your-domain.com/web/database/selector
# Should return: 404 Not Found
# If you get 200 OK, the block is not working!What If You Need Database Operations?
# Use command-line tools instead of the web manager:
# Create database:
createdb -U odoo new_database
odoo-bin -d new_database -i base --stop-after-init
# Backup:
pg_dump -U odoo -Fc production > backup.dump
# Restore:
createdb -U odoo restored
pg_restore -U odoo -d restored backup.dump
# Delete:
dropdb -U odoo old_database
# These are safer because they require server access (SSH)DeployMonkey
DeployMonkey blocks the database manager by default on all production instances. The AI agent handles database operations (backup, restore, duplicate) through authenticated APIs with audit logging — never through the unauthenticated web interface.