devpi-server securityΒΆ


By default exposing devpi-server to the internet is not safe!

Look into Restricting who can create users to prevent everyone from being able to create their own user account on your server.

For replication devpi-server exposes the /+changelog route. If replication isn’t used this should be blocked. Otherwise your whole server can be replicated from the outside, including the password hashes of all users. This includes deleted users until an export/import cycle has been made.