--- title: Enable security features description: Enable a collection of additional security and hardening features in InfluxDB OSS to better secure your InfluxDB instance. url: https://docs.influxdata.com/influxdb/v2/admin/security/enable-hardening/ estimated_tokens: 742 product: InfluxDB OSS v2 version: v2 --- # Enable security features This page documents an earlier version of InfluxDB OSS. [InfluxDB 3 Core](/influxdb3/core/) is the latest stable version. #### API token hashing is enabled by default in InfluxDB OSS 2.9.0 Stronger token security: tokens are stored as hashes on disk, so a copy of the database file doesn’t expose usable tokens. Existing tokens are hashed on first startup and the original strings can’t be recovered afterward — **capture any plaintext tokens you still need before you upgrade**. For more information, see [Token hashing](/influxdb/v2/admin/tokens/#token-hashing). InfluxDB 2.9 provides optional security features that ensure your InfluxDB instance is secure in whatever environment it’s used in. To enable all [additional security features](#security-features), use the [`hardening-enabled` configuration option](/influxdb/v2/reference/config-options/#hardening-enabled) when starting InfluxDB. ## Security features - [Private IP Validation](#private-ip-validation) ### Private IP Validation Some Flux functions ([`to()`](/flux/v0/stdlib/influxdata/influxdb/to/), [`from()`](/flux/v0/stdlib/influxdata/influxdb/from/), [`http.post()`](/flux/v0/stdlib/http/post/), etc.), [template fetching](/influxdb/v2/tools/influxdb-templates/) and [notification endpoints](/influxdb/v2/monitor-alert/notification-endpoints/) can require InfluxDB to make HTTP requests over the network. With private IP validation enabled, InfluxDB first verifies that the IP address of the URL is not a private IP address. IP addresses are considered private if they fall into one of the following categories: - IPv4 loopback (`127.0.0.0/8`) - RFC1918 (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`) - RFC3927 (`169.254.0.0/16`) - IPv6 loopback (`::1/128`) - IPv6 link-local (`fe80::/10`) - IPv6 unique local (`fc00::/7`) #### Private IP considerations If your environment requires that these authenticated HTTP requests be made to private IP addresses, omit the use of `--hardening-enabled` and consider instead setting up egress firewalling to limit which hosts InfluxDB is allowed to connect. [security](/influxdb/v2/tags/security/) [hardening](/influxdb/v2/tags/hardening/)