1 Security best practices

Overview

This section contains best practices for setting up Zabbix in a secure way.

The practices in this section are not required for the functioning of Zabbix but are recommended for better system security.

UTF-8 encoding

UTF-8 is the only encoding supported by Zabbix. It is known to work without any security flaws. Users should be aware that there are known security issues if using some of the other encodings.

Windows installer paths

When using Windows installers, it is recommended to use the default paths provided by the installer. Using custom paths without proper permissions could compromise the security of the installation.

Macros in user-defined global scripts

To enhance security, it is recommended to use macro functions instead of plain macros in user-defined global scripts, as macros are not automatically escaped.

Zabbix Security Advisories and CVE database

See Zabbix Security Advisories and CVE database.

HTML email templates

When creating or editing message templates used for HTML emails, always wrap every macro with the htmlencode() macro function. For example:

<b>Problem started</b> at {{EVENT.TIME}.htmlencode()} on {{EVENT.DATE}.htmlencode()}<br><b>Problem name:</b>
{{EVENT.NAME}.htmlencode()}<br><b>Host:</b> {{HOST.NAME}.htmlencode()}
<br><b>Severity:</b>
{{EVENT.SEVERITY}.htmlencode()}<br><b>Operational
data:</b> {{EVENT.OPDATA}.htmlencode()}<br><b>Original problem ID:</b> {{EVENT.ID}.htmlencode()}<br>{{TRIGGER.URL}.htmlencode()}

Using htmlencode() ensures that any HTML characters in macro values are escaped and prevents injection of HTML into notifications (for example, an attacker inserting a malicious/phishing link into a notification).

Note: the default HTML email messages provided by Zabbix already apply htmlencode() to macros. This guidance applies when editing existing templates or creating new ones — verify that macros are encoded before using a template to send HTML email.