Overview

Continuous security checks for your Odoo services โ€” detect default passwords, exposed database managers, missing HTTPS and more.

hav.sh continuously probes every running Odoo service for the most common production security issues. Results appear on each service's Security tab, sorted by severity, so you can spot and fix problems before an attacker finds them.

#What it checks

Security Insights runs a fixed catalogue of black-box checks against the public hostname of each Odoo service. The checks cover three areas:

  • Authentication โ€” Is the default admin / admin login still working? Could a leaked database list let an attacker target a specific tenant?
  • Exposed endpoints โ€” Is the Odoo database manager or selector reachable from the internet? Does /website/info leak the Odoo version?
  • Transport security โ€” Are HTTP requests forced to HTTPS? Is the HSTS header set? Is clickjacking protection in place?

For the full list of checks, see Security Checks.

#Severity levels

Every check is assigned one of three severities:

Severity Meaning
Critical An immediate, exploitable risk. Fix as soon as possible.
Warning A hardening recommendation that does not allow direct compromise but weakens defence-in-depth.
Info Diagnostic information โ€” for example, confirming the login page is reachable.

The Security tab is sorted by severity, with critical findings at the top. A red badge on the Security sub-navigation shows how many checks are currently failing.

#How checks run

  • Checks run automatically on a schedule for every running, non-preview, non-copy Odoo service.
  • You can re-run the catalogue at any time with the Run checks now button on the Security tab. A background job probes the service and updates results within a few seconds.
  • Each check stores its HTTP status, response time and the failure detail, so you can see exactly what was returned.

#Scope

  • Checks are performed per Odoo service, using the service's platform hostname.
  • Preview deployments and offline copies are not probed โ€” they are not reachable from the public internet by design.
  • Results are scoped to your team. No data leaves your hav.sh tenant.

#Fixing findings

The Security tab lists each finding with a short explanation of why it failed and what response was observed. Most issues are configuration problems that can be fixed in the Odoo service configuration:

  • Default admin password โ€” Change the admin password from the Odoo UI.
  • Database manager / selector exposed โ€” Set list_db = False in the Odoo configuration and redeploy the service.
  • HTTPS not enforced / HSTS missing โ€” Verify the Traefik reverse proxy and certificate are healthy on the service's domain.

After fixing an issue, click Run checks now to confirm the finding has cleared.

Security Insights is an early-warning system, not a replacement for a full audit. It catches the most common production misconfigurations โ€” pair it with regular backups, restricted SSH access and Odoo Enterprise updates for full coverage.

Notifications Security Checks