3x-ui/docs/panel-guide/04-security-and-hardening.md

# 04. Security and Hardening

## Immediate high-priority items

1. Enable TLS for panel access.
2. Change default/guessable panel base path.
3. Change default subscription paths.
4. Use strong admin password + 2FA.
5. Restrict panel listen IP where possible.

## Operational hardening

- Keep backups of DB before major changes.
- Use staged config changes, not bulk edits.
- Keep one known-good inbound active.
- Review logs after each restart.

## Control-plane warning handling

If panel shows security warning banner:
- Treat as real risk, not cosmetic.
- Do not expose panel publicly without TLS.

## Inbound safety rules

For active user inbounds:
- Avoid sudden port/security/transport changes.
- Avoid key/shortId rotation without migration window.
- Avoid disable/delete on active inbounds without user communication.

Safe changes anytime:
- Remark/naming cleanup
- Client naming consistency
- Non-functional labeling and grouping

## Current naming standard recommendation

Use:
- `<protocol>-<transport>-<security>-<port>-<role>`

Examples:
- `vless-reality-tcp-443-main`
- `vless-reality-tcp-8443-alt`
- `vless-tcp-http-18080-test`

## Suggested maintenance cadence

Daily:
- Check Xray state, error logs, traffic anomalies

Weekly:
- Review depleted/disabled clients
- Validate backup and restore path

Monthly:
- Rotate sensitive paths/credentials if needed
- Review exposed interfaces and firewall rules
docs: add panel guide documentation 2026-02-18 16:42:04 +00:00			`# 04. Security and Hardening`

			`## Immediate high-priority items`

			`1. Enable TLS for panel access.`
			`2. Change default/guessable panel base path.`
			`3. Change default subscription paths.`
			`4. Use strong admin password + 2FA.`
			`5. Restrict panel listen IP where possible.`

			`## Operational hardening`

			`- Keep backups of DB before major changes.`
			`- Use staged config changes, not bulk edits.`
			`- Keep one known-good inbound active.`
			`- Review logs after each restart.`

			`## Control-plane warning handling`

			`If panel shows security warning banner:`
			`- Treat as real risk, not cosmetic.`
			`- Do not expose panel publicly without TLS.`

			`## Inbound safety rules`

			`For active user inbounds:`
			`- Avoid sudden port/security/transport changes.`
			`- Avoid key/shortId rotation without migration window.`
			`- Avoid disable/delete on active inbounds without user communication.`

			`Safe changes anytime:`
			`- Remark/naming cleanup`
			`- Client naming consistency`
			`- Non-functional labeling and grouping`

			`## Current naming standard recommendation`

			`Use:`
			- `<protocol>-<transport>-<security>-<port>-<role>`

			`Examples:`
			- `vless-reality-tcp-443-main`
			- `vless-reality-tcp-8443-alt`
			- `vless-tcp-http-18080-test`

			`## Suggested maintenance cadence`

			`Daily:`
			`- Check Xray state, error logs, traffic anomalies`

			`Weekly:`
			`- Review depleted/disabled clients`
			`- Validate backup and restore path`

			`Monthly:`
			`- Rotate sensitive paths/credentials if needed`
			`- Review exposed interfaces and firewall rules`