The weakness of using shared hosting or a hosting company is you are giving them the possibility to access all your data. I think with VPS or those higher business package you have more control of it but I have personally never use it, those should have encryption and other security measure that you or your I.T guy can control.

In term of encryption, I don't think most of the data is encrypted, maybe only password is hashed otherwise if you have access to the database file you can review and see everything. There is a few topic on encryption data but with encryption you will risk one flaw: loading time and server overloading.

HTTPS is not enable by default or can be forced via the interface. I choose my URL to be HTTPS but it still defaulting to HTTP at the moment.

This CRM and like many other got Security control for User/Department/Team/Portal Group/etc so there that control ability if you ever want to use it.

Welcome to EspoCRM, I have used quite a few before (over 2 years of switching and changing) and EspoCRM have one feature that I been looking for. Who know I may move on again if I can find another that fit my needs. Hope to see you joining the community.

Thanks for that information! Noted on the HTTPS settings. I was already anticipating doing that.

I'm a little less concerned about GoDaddy's ability to access the data, but I really like your suggestion about encrypting the data at rest. I'll test it out and see what performance issues we run into. I'm not expecting a ton of users so it might be acceptable.

What I'm most concerned about is how secure things are from hackers. I found this article (https://www.cvedetails.com/vulnerabi...6/Espocrm.html) which indicates there's a serious security risk allowing users to traverse directories. But my gut tells me that it's just a matter of removing the install directory. Am I right? I don't think it's required after the initial install.

Hello,
This is not a personal blog... then forget shared, you need a good VPS with SSD minimum. i think 4G or 8G ram.
atfer, a Linux .. i have make Centos7 and now Centos8 .. with all requirement (php module and so and custom setting) .. so you need access root to your VPS.
you need to configure apache/nginx/mariaDb/php.. and centos firewall, let'sencrypt and so.

and after you can install espoCRM

That is a good website, to be honest it is quite hard to find more online information of EspoCRM. Most article, blog, etc don't event mention of EspoCRM, honestly I don't even remember how I know about EspoCRM.

Haven't dig through the website yet and it seem too technical for me either way, but I can see there might be some security flaws. On one of web browser I got a "Partial Unsecured connection" notification on my Firefox's browser when the Protections is enable. Not sure if it due to some image or script.

Briefly reviewing it, it seem only earlier version that have that issue. Which may post a serious threat to user that do not upgrade, I'm fairly new to the system so haven't got the Update alert yet, but with a giant sidebar on the administration page I would assume the alert to update your EspoCRM would be quite aggressive.

I believe after discovering these security risk they would email/contact the developer about it to get it fix up, or the developer them self might monitor the page to do hotfix if it serious or a incremental update.

Some security recommendations :

* don't use admin user account for work, only when you need to configure the system
* use 2-factor auth
* disable write access for all folders & files except 'custom/Espo/Custom/Resources' and 'data'