Ports addresses for web vs api access

One way is to disable API with sudo snap set wekan with-api='false' , and then monitor all of Wekan with Admin Panel Global Webhook

When API is disabled, users can not export board, and can not access user or admin API at all

You can also start another copy of wekan-app with docker that users same mongodb database at port 27019 with different settings

Or alternatively, have some webserver in front of Wekan that blocks API URLs

and only allows API calls from specific IP address

Related Docker settings here https://github.com/wekan/wekan/blob/master/docker-compose.yml#L565-L589

If doing it with only Docker

If you have Snap already, you can start additional wekan-app Docker-container without database, using settings at command line like this, with just Docker commands https://github.com/wekan/wekan/wiki/Docker

When currently coding that Worker role, I have been thinking should I add more granular role permissions, so it would be possible at Admin Panel define new roles, and specify can user with that role open cards, comment to cards, see what menu options, etc

Because otherwise I would need to code all different kind of roles myself to Wekan code

That permission system would probably be also needed with Organizations/Teams feature I'm developing

For example, which role has access to which Organization(s) or Team(s)

Or alternatively, I could try to fix current nearly-ready Worker role.

Hmm, I don't think is it a good idea to run snap+docker at the same time. It should be 2 snap or 2 docker.

If really 2 wekan installs would be required

otherwise Snap update to different version than Docker could mess up something

Maybe only one snap and some URL limiting webserver at front would be better

but I don't think having ELB in front of Wekan is good idea. Wekan requires websockets to work, and I don't know does ELB support websockets.

If there is websockets errors, you will see them in browser inspect console

Wekan does have bruteforce password guessing protections with accounts-lockout, there is snap settings for that, how many quesses are possible before blocking. Wekan also has XSS protection in web forms, and users that are not logged in can not change anything in database. Some permissions checks are serverside and some browserside, I have not tried yet is there a way to work around them in some way.

There is old hall of fame page for old security issues https://wekan.github.io/hall-of-fame/ although now that I look at it, there is old info. Wekan currently uses another accounts-lockout package and there is already settings for it.

I'm not currently aware of any existing security issues in Wekan. There is security page here https://github.com/wekan/wekan/blob/master/SECURITY.md

AFAIK old security issues have already been fixed

And Wekan dependencies are up-to-date in newest possible versions

BTW, did you listen to this episode of Security Now https://twit.tv/shows/security-now/episodes/746?autostart=false it has Show Notes here https://www.grc.com/sn/sn-746-notes.pdf it has info that it's possible for Open Source projects to ask Google to sponsor security fixes, there is link at PDF where to apply