Security Settings
Configure security policies for your entire server — two-factor authentication enforcement, passphrase requirements, and more.
Enforce 2FA
Two-factor authentication is mandatory by default. If for any reason it was relaxed, you can re-enforce it workspace-wide. When enforced, all users must complete 2FA setup before they can use the messenger.
Minimum Passphrase Length
Set the minimum passphrase length for all users. The default minimum is 6 characters. You can increase this up to 128 characters. This applies to new accounts and password changes — existing users are not forced to change their passphrase unless they reset it.
Account Lockout
Freedom Messenger automatically locks accounts after repeated failed login attempts. This protects against brute-force attacks. The lockout is temporary and resets after a cooldown period.
Rate Limiting
Built-in rate limiting protects your server from abuse. These limits are active by default and cannot currently be changed through the UI:
| Action | Limit |
|---|---|
| Login attempts | 20 per 15 minutes |
| Join (registration) | 10 per 15 minutes |
| TOTP verification | 10 per 5 minutes |
| File uploads | 20 per hour per user |
| Messages | 60 per minute per user |
| Global (per IP) | 120 per minute |
Config File Permissions
The server enforces that config.toml has permissions set to 0600 (owner read/write only). If the file has more permissive permissions, the server will warn on startup. This protects your master secret and encryption keys.
Related
- Security Overview — detailed explanation of all security layers
- Managing Users — reset 2FA and passwords for individual users