Security Checks

The full catalogue of automated security checks hav.sh runs against each Odoo service.

hav.sh runs the following checks against every running Odoo service. Each check is a black-box HTTP probe against the service's public hostname โ€” nothing is installed inside your Odoo instance.

#Critical

#Default admin password

Attempts to authenticate with admin / admin against /web/session/authenticate. A successful login means anyone on the internet can take over the database.

Fix: Log in to Odoo and change the admin user's password to a strong, unique value.

#Database manager exposed

Requests /web/database/manager. The endpoint must return 403 Forbidden โ€” the Odoo database management UI must never be reachable from the public internet, as it exposes the master password prompt and can be used to create, drop or back up databases.

Fix: Set list_db = False (and a strong admin_passwd) in the Odoo configuration, then redeploy the service.

#Database selector exposed

Requests /web/database/selector. The endpoint must return 403 Forbidden โ€” a reachable selector confirms list_db is still enabled and gives an attacker the list of databases on the host.

Fix: Same as above โ€” set list_db = False.

#Database list via JSON-RPC

Calls JSON-RPC /web/database/list. Even when the selector UI is disabled, a misconfigured server can still respond to the RPC endpoint and leak database names.

Fix: Set list_db = False and confirm the RPC endpoint returns an empty list.

#HTTPS enforced

Sends a plain HTTP request and follows the redirect. If the service answers HTTP traffic without redirecting to HTTPS, credentials and session cookies can be intercepted.

Fix: Confirm the Traefik reverse proxy is healthy and the service has a valid Let's Encrypt certificate.

#Warning

#Website info disclosure

Requests /website/info. The endpoint must return 403 Forbidden โ€” some Odoo versions expose the exact Odoo version on this page, which makes it easier for attackers to target known CVEs.

Fix: Block the /website/info route at the reverse proxy, or upgrade to a version that does not expose it.

#Server header leak

Confirms the Server response header does not leak Werkzeug, Odoo or Python. Suppressing the banner is defence-in-depth โ€” it does not stop an attack but slows automated scanners.

Fix: Strip or rewrite the Server header at the reverse proxy.

#HSTS header

Checks /web/login for a Strict-Transport-Security response header. HSTS instructs browsers to always use HTTPS for your domain, preventing downgrade attacks.

Fix: Add the HSTS header in the Traefik middleware for the service.

#Clickjacking protection

Checks /web/login for either an X-Frame-Options header or a frame-ancestors directive in Content-Security-Policy. Without one, your login page can be embedded in a malicious iframe.

Fix: Add X-Frame-Options: SAMEORIGIN (or a CSP frame-ancestors directive) at the reverse proxy.

#Info

#Login reachable

A positive control that confirms /web/login returns 200. If this check fails, the service is offline or the proxy is misrouting traffic โ€” no other security check is meaningful until it passes.

Overview Overview