Hipchat Server Security
This page provides security details and recommendations.
Hipchat uses strong encryption to transmit your data and files.
While Hipchat Server comes with a self-signed SSL certificate by default for initial testing purposes, we strongly recommend you use an SSL certificate that you get verified by a trusted Root CA vendor. For more information, see Creating or Obtaining an SSL Key and Certificate.
Hipchat Server requires you to have a small set of inbound and outbound TCP ports open. For the list of ports, see the System Requirements for Hipchat Server page. Hipchat Server does have an internal firewall which does basic traffic protection while allowing the required ports.
Recommendations for deploying Hipchat Server from an OVA
These recommendations apply to people deploying Hipchat Server using the open archive (OVA) image on a virtual machine.
To ensure Hipchat Server is configured securely, we recommend you take the following steps:
- Add an external firewall as the first point to filter traffic. (For example, you can add additional filters by IP address.)
- Configure a router with port forwarding. (This way, you control the routing table and only forward the required open ports.)
- Change the default console/SSH admin password. For instructions, see Deploying from the OVA image
- Replace the self signed SSL certificate with one from a trusted Root CA vendor. For instructions, see Creating or Obtaining an SSL Key and Certificate.
- Check the list of features and disable any features you're not using:
- Log in to Hipchat Server. For example: or https://IPv4
- Click Group admin > Features. You can disable some features and restrict others to administrators.
- Click Server admin > Video. You can disable video chat, here.
Note: Hipchat Server has an internal firewall that does basic traffic protection while allowing the required ports to be open.
Don't modify Hipchat Server's internal firewall. By modifying it, you may inadvertently create a security risk.
Recommendations for deploying Hipchat Server using an AMI
If you're deploying Hipchat Server using an Amazon Machine Image (AMI), Amazon Web Services have their own additional security infrastructure. You can learn more at Amazon Web Services Security Center.
Deploying Hipchat Server in a VPN
You can deploy your Hipchat Server behind your firewall with internal-only access rules, an internal IP address, or a private DNS. This will require all inbound client access to be from within your organization's VPN.
You must ensure your Hipchat clients can perform DNS resolution to a VPN-deployed Hipchat Server.
Note: Many integrations expect direct access to Hipchat Server. Check the details of any integration you wish to install.
Deploying Hipchat Server in a DMZ
You can deploy Hipchat Server in a DMZ, but you must ensure access to any internal systems that your Hipchat Server might need. For example if your deployment is using the directory integration, then it would need access to your LDAP server.
Hiding message previews in notifications
If you don't want messages showing up in notifications on mobile devices or in emails, you can disable message previews. You can learn more at Hide message previews on notifications.