Odoo Security Best Practices: Complete Guide for Production

The Odoo Security Checklist

Every production Odoo instance should pass these security checks. The list is ordered by severity — fix critical issues first.

Critical: Fix Immediately

1. Change the Default Admin Password

# Change admin password in Odoo Settings → Users
# Also set a strong master password:
# odoo.conf:
admin_passwd = your_very_strong_random_password_here

2. Disable the Database Manager

The database manager at /web/database/manager allows creating, deleting, and downloading databases without authentication.

# Option 1: Block in nginx
location /web/database {
    deny all;
    return 404;
}

# Option 2: Set list_db to False in odoo.conf
list_db = False
dbfilter = ^your_database$

3. Enable SSL/HTTPS

# Install Let's Encrypt
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain.com

# Enable HSTS in nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

4. Restrict PostgreSQL Access

# pg_hba.conf — only allow local connections
local   all   odoo   peer
host    all   odoo   127.0.0.1/32   md5

# Firewall — block port 5432 from external
sudo ufw deny 5432

High: Fix Within 24 Hours

5. Configure Security Headers

# nginx configuration
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always;

6. Enable Two-Factor Authentication

Enable 2FA for all admin and privileged accounts in Settings → Users → Two-Factor Authentication.

7. Review User Permissions

• Audit who has Administration/Settings group
• Remove unnecessary admin access
• Use role-based groups (user/manager/admin tiers)
• Review record rules for multi-company setups

8. Configure Firewall

# Allow only necessary ports
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

# Block Odoo direct access from internet
sudo ufw deny 8069
sudo ufw deny 8072

Medium: Fix Within 1 Week

9. Set Up Automated Backups

• Daily database + filestore backups
• Offsite storage (S3, GCS)
• Backup verification and integrity testing
• Retention policy (keep 30 daily, 12 monthly, 5 yearly)

10. Configure Log Rotation

# /etc/logrotate.d/odoo
/var/log/odoo/*.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    copytruncate
}

11. Enable Audit Logging

• Track login attempts (success and failure)
• Track access to sensitive records (payroll, financial)
• Track configuration changes (security groups, settings)

12. Regular Updates

• Apply Odoo security patches promptly
• Update system packages: apt update && apt upgrade
• Update Python dependencies

Security for Custom Modules

• Always create ir.model.access.csv for custom models
• Add record rules for multi-company data isolation
• Never use sudo() to bypass access controls without justification
• Validate all user input in controllers
• Use parameterized queries if writing raw SQL
• Sanitize HTML content with Odoo's built-in sanitizer
• Use auth='user' on controllers unless public access is intentional

DeployMonkey Security

DeployMonkey handles many of these security measures automatically: SSL certificates, firewall configuration, database manager lockdown, security header configuration, and automated backups. The AI agent continuously monitors for security issues and alerts on misconfigurations. Deploy on DeployMonkey for security-hardened Odoo hosting from day one.