This checklist summarizes settings we apply before pointing a real workload at Jenkins. Treat it as a baseline; adapt to your threat model and compliance requirements.
Network and TLS
- Terminate TLS on a reverse proxy (nginx, HAProxy) or the servlet container; disable plain HTTP for the UI and webhooks except on localhost.
- Restrict who can reach the controller: firewall or private network; agents connect outbound only where possible.
- Set Jenkins URL under Manage Jenkins → System to the public HTTPS base URL so generated links and webhook help text stay correct.
Authentication and authorization
- Use a real identity provider (OIDC/SAML/LDAP) instead of the built-in user database for anything beyond a lab.
- Prefer matrix or role-based authorization; deny anonymous read on production controllers unless you intentionally publish a public status page.
- Enable CSRF protection (default in modern Jenkins) and verify reverse-proxy headers are configured if you terminate TLS in front of Jenkins.
Agents and isolation
- Run builds on agents or ephemeral executors; keep the controller free of heavy jobs and ad-hoc shell access.
- Use per-job workspaces or disposable containers/VMs so secrets and artifacts from one pipeline do not leak into the next.
- Pin tool versions on agents or bake them into images so builds stay reproducible after agent replacement.
Secrets and credentials
- Store credentials in Jenkins credential stores or an external vault; avoid echoing secrets into logs and scrub shell
xtracein sensitive stages. - Scope credentials narrowly (folder or job) and rotate them on the same schedule as the upstream systems.
Data, backups, and upgrades
- Back up
JENKINS_HOMEregularly (configuration, job definitions, plugins) and test restores on a staging controller. - Pin plugin versions in production; upgrade in a maintenance window after reading changelogs and running automated smoke jobs.
- Keep long-term build logs and large artifacts on object storage or a dedicated archive; trim disk use on the controller.
Observability
- Ship controller and agent logs to your central stack; alert on queue backlog, disk usage, and failed plugin loads.
- Expose health or metrics endpoints only on trusted networks and scrape them with your usual monitoring agent.