How Can You Enhance Odoo Security with the Latest Updates?

[vihanrichard]

With the release of Odoo 17 and upcoming improvements in Odoo 18, I'm revisiting our deployment's security posture. While Odoo security already provides a decent security baseline, production-grade setups still require careful hardening—especially for businesses managing sensitive data or operating in regulated industries.
A few specific areas I'm focusing on:

• HTTPS & Reverse Proxy Security: How are you configuring Nginx/Apache for SSL offloading? Are you using HSTS and secure headers consistently?
  
• Authentication Upgrades: Odoo now supports OAuth2 and LDAP natively—has anyone implemented 2FA via third-party apps or custom modules in v17?
  
• Database & File Access: What’s your approach to minimizing exposure of .zip backups, managing database credentials securely (especially in containerized environments), and restricting public access to/web/database/*?
  
• Module-Level Security: How are you handling ACLs for custom modules? Are record rules and groups granular enough for your workflows?
  
• Odoo Recaptcha & Brute Force Prevention: Have you implemented captcha or rate-limiting on login endpoints?
  

Recent updates also hint at improved audit logs and better separation between admin and user permissions. I’d love to hear if anyone has automated security scans (e.g., using OWASP ZAP or Odoo’s XML-RPC exposure checks) or enforced a CI/CD-based security pipeline.
Let’s use this thread to share practical, real-world security implementations and how you're leveraging Odoo’s latest features to build a more secure environment.