---
title: Enable security features
description: Enable a collection of additional security and hardening features in InfluxDB OSS to better secure your InfluxDB instance.
url: https://docs.influxdata.com/influxdb/v2/admin/security/enable-hardening/
estimated_tokens: 541
product: InfluxDB OSS v2
version: v2
publisher: InfluxData
canonical: https://docs.influxdata.com/influxdb/v2/admin/security/enable-hardening/
date: '2023-11-06T15:53:12-07:00'
lastmod: '2023-11-06T15:53:12-07:00'
---

This page documents an earlier version of InfluxDB OSS.[InfluxDB 3 Core](/influxdb3/core/) is the latest stable version.

#### API token hashing is enabled by default in InfluxDB OSS 2.9.0

Stronger token security: tokens are stored as hashes on disk, so a
copy of the database file doesn’t expose usable tokens. Existing
tokens are hashed on first startup and the original strings can’t
be recovered afterward — **capture any plaintext tokens you still
need before you upgrade**.

For more information, see [Token hashing](/influxdb/v2/admin/tokens/#token-hashing).

InfluxDB 2.9 provides optional security features that ensure your
InfluxDB instance is secure in whatever environment it’s used in.

To enable all [additional security features](#security-features), use the[`hardening-enabled` configuration option](/influxdb/v2/reference/config-options/#hardening-enabled)when starting InfluxDB.

## Security features

* [Private IP Validation](#private-ip-validation)

### Private IP Validation

Some Flux functions ([`to()`](/flux/v0/stdlib/influxdata/influxdb/to/),[`from()`](/flux/v0/stdlib/influxdata/influxdb/from/), [`http.post()`](/flux/v0/stdlib/http/post/), etc.),[template fetching](/influxdb/v2/tools/influxdb-templates/) and[notification endpoints](/influxdb/v2/monitor-alert/notification-endpoints/)can require InfluxDB to make HTTP requests over the network.
With private IP validation enabled, InfluxDB first verifies that the IP address of the URL is not a private IP address.

IP addresses are considered private if they fall into one of the following categories:

* IPv4 loopback (`127.0.0.0/8`)
* RFC1918 (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`)
* RFC3927 (`169.254.0.0/16`)
* IPv6 loopback (`::1/128`)
* IPv6 link-local (`fe80::/10`)
* IPv6 unique local (`fc00::/7`)

#### Private IP considerations

If your environment requires that these authenticated HTTP requests be made to private IP addresses,
omit the use of `--hardening-enabled` and
consider instead setting up egress firewalling to limit which hosts InfluxDB is allowed to connect.

[security](/influxdb/v2/tags/security/)[hardening](/influxdb/v2/tags/hardening/)