What Measures Does Odoo Take For Ensuring Security Safety?
| Resources, Odoo Guide |
Written by, William McMahon - January, 1st, 2025
Today, I wanted to touch on a little bit more of a serious topic. I see this often spoken within the Odoo Community and more so in the last few months. How is security managed via a growing platform, and what can customers do to keep safe.
Whether you are a fledging business looking to implement Odoo or, likewise, an Odoo customer or user, security should always be at the forefront of your mind. Odoo like wise, takes this topic also quite seriously. It's important. Period. From an Odoo perspective, actions are taken every day to guarantee that data is safe and security best practices are applied across organisations and businesses.
With Odoo's core being open-source focused, the whole codebase is routinely under examination across the community, further including organisations and individual users. While I have discussed a lot in the past regarding the Odoo community in recent times, the security procedures that are put in place with Odoo, are also contributed towards by the said community. Odoo is always encouraging the support of feedback and encouraging developers to audit the code for possible issues which have been identified.
This then links back to Odoo's R&D evaluation processes which are put in place to review such code for security aspects.
Additionally, Denis was met by Florian Vranckx, at OXP 24 as they further discussed the most common security issues.
I would highly recommend giving the videos above a watch, as they outline the basis point of security within Odoo and what is being done to ensure best practices are considered.
Security In Odoo
Before I dive deeper into the efforts that Odoo is taking regarding security, best practice.
In my eyes, security starts at home. Articles by the great Cloudpepper got me thinking in regards to this, so I wanted to add my two cents into the conversation. Thanks once again to Sven from the company, and you can find that reference article here.
With Odoo growing month on month, let alone year on year, and with organisations looking into further consolidating their tech stack, ensuring that you and your workforce have a safe and secure environment is critical and best practice for safety. It's time to put those critical sensitive protection data methods into place.
If you need support, ask for it, there are experts out there for a reason.
I think Sven hits correctly on highlighting this first in his article above. My first advice is that you feel out of your depth when it comes to security; you most likely are, so don't risk it.
There are some brilliant contributors and local Odoo Partners that specialise in these matters, so without pulling the security plug and letting that data flow out, consult with an expert, to help you through the process at hand. That also goes back into local/regional data protection regulations.
Should You Be Upgrading Your Odoo Environment Yearly?
To play devil's advocate here, I appreciate that there has been a lot of talk recently about whether you should upgrade every time to Odoo's newest version. While that debate continues, I have reported on it myself; one thing you can guarantee is that with each new Odoo version, updates to security continue to improve. It's important to mention if you are also on what I would call a 'legacy version' of Odoo - that being one which is not directly supported any more.
And for those who may not already know...
Odoo will only continue to support the last three released versions. This then each year is updated when a new version is released.
As I said, while the debate continues, if you should upgrade every year, please don't leave it for extremely long periods, as you could become more vulnerable as a business due to new scams, security flaws and actions being prayed on by cyber security attackers. Odoo regularly releases updates and patches to address new security concerns.
Setting Up User Access Rights In Odoo Is Simply Best Practice
No matter the size of the organisation, it is paramount that your user access rights are set up correctly. By doing this, each person within your company has only access to what they need. Creating relevant and appropriate levels of access to certain apps and functions based on their individual job roles. Minimising unauthorised access and data breaches which could become a possibility.
For additional information on user access rights and security in Odoo, please refer to the hub below, where you can seek more information on the Odoo 18 documentation, or likewise, please also switch the version.
Security In Odoo - Documentation
Discover the Odoo documentation on offer, looking to the technical side of Security within the ERP platform and what you can do to minimise risk in your organisation.
Learn more:Lastly, before I dive into how Odoo is battling the security front, please do not neglect the proper and correct training across your workforce regarding security best practices. With a system like Odoo or any other ERP being implemented, it can be a big business change. Ensure that your workforce is confident in knowing the best practices. Take a look at the how Odoo is tackling GDPR practices.
Backups & Disaster Recovery
Regarding 'backups' and 'disaster recovery,' Odoo has procedures in place to ensure that they are addressed. Find information on this below, on how they are handled within Odoo.
Backup Frequency
Odoo keeps 14 full backups of each Odoo database for at least 3 full months. This is then further broken down into periods of time.
- 1/day: 7 days
- 1/week: 4 weeks
- 1/month: 3 months
Backups are then further replicated in a least 3 different data centers across at least 2 different continents. The locations of the data centers are also specified in Odoo's Privacy Policy which you can have a further look at if desired here. You can also download manual backups of your live data at any time using the control panel.
The Odoo Helpdesk can be contacted if any assistance is needed in helping restore any backup within the time period on your individual live databases, if then required. to submit a support ticket to Odoo, if you need assistance, you can follow this link here.
Hardware Failover: 'For services that are hosted on bare metal and where hardware failure is possible, we implement local hot standby replication, with monitoring and a manual failover procedure that takes less than 5 minutes.'
As stated by the Odoo security team within their documentation.
Disaster Recovery
Unfortunately, in many cases, it is always good to be prepared. In the case and state of a complete 'disaster' with a data centre entirely down in this case/example and for an extended period, preventing the failover to Odoo's local hot standby, the following actions are then undertaken for best practice.
(It is also important to note, that, as per Odoo's words, as well, thankfully - this process has never needed to be actioned in the case of disaster - however, the 'worst-case' plan is put into practice to cover the best possible actions if so)
RPO (Recovery Point Objective): = 24 hours. Meaning that you could lost a maximum of 24 hours of work if the data at the final point cannot be then recovered and the latest daily backup needs to be restored, in this instance.
RTO (Recovery Time Objective): = This varies depending on what type of customer you are that is using Odoo. 24 hours are referred paid subscriptions, 48 hours for free trials, education offers and those that are known as 'freemium users' in cases. This is based on the time to restore the service in a different data centre if the ultimate disaster does occur or it down.
Odoo takes this very seriously via monitoring daily backups actively with them and then being replicated across different countries. They also have automated provisioning in deploying their services in a new hosting location. For the most part, when then restoring the data based on the previous backups, they can be done in a few hours, with a focus on paid subscriptions first. Ensuring that these processes are there, disaster recovery procedures are tested ALL the time.
Odoo Database Security
When it comes to Database Security, customer data is further stored in a dedicated database, with no sharing of stated data between clients whatsoever. Data access control rules then further implement complete isolation between customer databases that are running on the same cluster. Again, no access is possible from one database to another, and they are completely separate.
Odoo Password Security
As standard, customer passwords are protected with the industry-standard PBKDF2+SHA512 encryption. Odoo staff furthermore do not have access to your passwords, and therefore can furthermore not be retrieved for you. It has to be reset.
What's The Difference Between PBKDF And SHA?
Learn more about the difference between the two and the context in which they are used in when it comes to security within organisations.
Login credentials are always transmitted in a secure manner via HTTPS.
Those who are database administrators where relevant also have the option to configure rate limiting and cooldown periods when it comes to passwords within Odoo. Also, to be applied for repeated login attempts that have failed. You can read that via Odoo GitHub.
"base.login_cooldown_after": lambda: 10,
"base.login_cooldown_duration": lambda: 60,
In regards to password policies, it is up to you as the organisation to set the best practices and standards to ensure that this is covered correctly. Database administrators have a built-in setting for then further pushing and enforcing a minimum user password length.
Due to being counter-productive, Odoo has decided to not support and enforce 'required character classes' into their set password protection scheme, with supported material provided for that here and here.
Staff Access In Odoo
When it comes to staff access, Odoo Helpdesk may, in some cases, sign into your account. This will be due to a support issue if logged, as previously disclosed. They will, however, as stated by Odoo, only use their 'special staff credentials', and not your password (which they have no way of knowing what that is).
This is done to improve efficiency and security so that they can then reproduce the problem and diagnose it. You should never share your password with anyone, and if asked, it could be a scam. Odoo audits and controls staff actions/access separately.
From a helpdesk perspective, Odoo builds its core values on respecting its user's privacy as much as possible and only accessing files and settings where needed to solve and resolve your issue as quickly as possible to get you back up and running.
Odoo System Security
In association with Odoo Cloud services, they are operated and running on Linux. Including up-to-date security patches as per best practices. Installations are on an ad-hoc basis and kept to a minimum to limit the number of services which could contain vulnerabilities.
From an Odoo perspective, only a strict amount of trusted Odoo engineers have such clearance to then remotely manage the servers. Access to such is only possible through using an encrypted personal SSH keypair, including being from a computer with full-disk encryption, which naturally limits the security pitfalls.
Odoo Physical Security
Looking to physical security, Odoo Cloud servers are hosted in trusted data centres across various regions of the world. This includes the likes of OVH, Google Cloud, etc. Any which is used must exceed Odoo's regulations for physical criteria:
- Restricted perimeter, accessed through authorised employees
- Physical access control with security badges and biometrical tech
- Security cameras monitoring the data locations 24/7
- On-site security personnel
While I can imagine at this point, you might be thinking, 'But William, why does this matter to me and my business?' But it does; your data and business are at stake. That's why when it comes to protocols, Odoo takes even the background steps to ensure best practices.
Credit Card Safety In Odoo
Credit card safety is paramount, so Odoo takes critical steps to ensure safety. Odoo never store credit card information on their own systems. Any information which is further transmitted is always done securely through you directly and Odoo's PCI-Compliant payment acquirers. Information regarding this can be found on Odoo's Privacy Policy.
For those Accounting fanatics out there, I would highly advise giving Christophe Klopfert and his talk at OXP 24 for a listen, about 'Ensuring Security: Odoo's Anti-Fraud And Scam Protection In Accounting' session.
Data Encryption
Customer data is always transferred and stored in encrypted formats through both transit of data and at rest. All data communications that are relevant to client cases are then protected with state-of-the-art 256-bit SSL encryption (HTTPS).
Odoo's servers are furthermore kept under strict security surveillance and then patched across the latest diagnosed SSL certificates, resulting in Grade A SSL ratings at all times.
All of Odoo's SSL certifications are robust 2048-bit modulus with full SHA-2 certificates. All customer data being database content or stored files, is also further encrypted at rest in production and in backups (AES-128 or AES-256).
Network Defence
All the data centres which are used by Odoo Cloud are chosen due to their very large network capabilities. Designed from an infrastructure perspective to withstand the largest Distributed Denial of Service - also known as DDoS attacks. Via their automatic and manual mitigation systems they can then further detect and divert potential attack traffic on the edge of their multi-continental networks. Tackling it before it, of course, gets any single chance of then disrupting servicer availability.
Firewalls and attack prevention systems are also put into place on servers used by Odoo Cloud to further help identify and detect threats. These could commonly be found in examples such as brute-force password attacks.
Designed With Security In Mind Against Common Set Vulnerabilities
It's important to mention that Odoo is also designed in a process which prevents common and unfortunate security vulnerabilities:
SQL Injections: Such SQL injections are further prevented by the exact use of a higher-level API that does not require manual SQL queries.
XSS Attacks: Additionally, XSS attacks are prevented through the use of a high-level templating system that then automatically escapes injected data. The framework prevents RPC access to private methods, which, from a best practice standpoint, makes it much harder to introduce vulnerabilities which can be exploited.
Does Odoo Undertake Independent Security Audits?
It is also important to mention that Odoo is, on a regular basis, audited by external independent companies that are hired to perform strict audits and penetration tests.
The Odoo security team then likewise receives said results and takes immediate appropriate action where relevant through corrective measures and tactics. While these results will never be disclosed, Odoo also has a very active community of key independent security researchers who also then continue to monitor the source code and work to improve measures.
More information on this can be shown here, and how to report said issues within Odoo's 'Responsible Disclosure Policy' and documentation.
Odoo's Stance On OSWASP
Also disclosed within Odoo's security documentation, which I will share below, is Odoo's stance on the top security issue - OWASP (Open Web Application Security Project) and how Odoo has responded in question.
Injection Flaws: Injection flaws, particularly SQL injection, are further common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into further executing unintended commands or changing data.
Odoo's Stance: 'Odoo uses and relies on an object-relational mapping, also known as ORM, via framework that abstracts query building and then prevents SQL injections by standard. In several cases, developers do not often craft SQL queries manually, as they are generated by ORM and the parameters are always escaped.'
Cross Site Scripting (XSS): XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites and possibly introduce worms.
Odoo's Stance: Odoo's framework escapees all expressions rendered into views and pages by default, which further prevents XSS. The developers, in Odoo's case, specially mark expressions as "safe" for raw inclusion into rendered pages.
Cross Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim's browser to send a forged HTTP request, including the victim's session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim's browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
Odoo's Stance: 'The website engine from Odoo includes a built-in standard CSFR protection mechanism. Further preventing any HTTP controller to then receive a POST request without the correct corresponding security token. A Highly recommended process for CSRF prevention as a best practice standard. In question, the security token is only then known and present when the user ultimately has accessed the relevant website form, and the attackers can not forge a request without it.
You can find a great CSRF attack prevention sheet for this here.
Malicious File Execution: Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise.
Odoo's Stance: 'Odoo never exposes functions to perform remote file inclusion. It does allow. however, privileged users to customise features by adding custom expressions that will then be evaluated by the system. These expressions are always evaluated by a sandbox and sanitised environment that only allows access to permitted functions.
Insecure Direct Object Reference: A direct object reference occurs when a developer exposes a reference to an subjected internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can then manipulate those references to access other objects without authorisation.
Odoo's Stance: Odoo access control is not implemented at the user interface level, so in this case, there is no risk in exposing references to 'internal objects' within URLs. In addition to this, attackers cannot circumvent the access control layer by further manipulating those references because every request still has to go through the data access validation layer.'
Insecure Cryptographic Storage: Web applications rarely use the cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft/other crimes, like credit card fraud.
Odoo's Stance: 'Odoo, for reference, uses industry-standard secure hashing for user passwords (by default PBKDF2 + SHA-512, with key stretching) to then protect stored passwords. It is also then possible to use external authentication systems such as OAuth 2.0 or LDAP, in order to avoid storing said user passwords locally.'
Insecure Communications: Applications frequently fail to encrypt network traffic when it is necessary to protect communications
Odoo's Stance: 'Odoo Cloud runs on HTTPS by standard and default. For on-premise installations, it is recommended to run Odoo behind a web server implementing the encryption and proxying request to Odoo, for example, Apache, Lighttpd or nginx. The Odoo deployment guide increases a security checklist for safe public deployments.'
Failure to Restrict URL Access: Frequently an application only further protects sensitive functionality by preventing the display of links or URLs to unauthorised users. Attackers can use this weakness to access and perform unauthorised operations by accessing those URLs directly.
Odoo's Stance: ' Access control in relation to Odoo is not further implemented at the user interface level, and the security does not further rely on hiding special URLs. Attackers cannot circumvent the access control layer by reusing or manipulating any URL, as every single request still has to go through data access validation layer.
If you would like to read more about the documentation Odoo provides regarding security, I will link it below for your convenience. I highly advise you to read it in addition to the points that I have highlighted here.
FAQs
Want to learn more about Odoo? Check out some of our community FAQs.
Yes Odoo is open-source. Odoo is made up of an integrated suite of business apps that can be further integrated into your business.
Odoo uses Python mainly, including other aspects like XML for views and JavaScript for dynamic aspects.
Odoo does a number of things, to ensure security across the platform such as encryption, regular updates and audit trails.
The Author
Support and meet the author of this article.
William McMahon
Founder of The Purple Juice Co.
With over 25+ years in the technology sector, having further worked directly at Salesforce & Dell, William is one of the most experienced in the field of CRM and ERP.