|
| 1 | +# Basic Security |
| 2 | + |
| 3 | +`dotkernel/admin` provides all necessary tools to implement safe applications, however you will need to manually make use of some of them. |
| 4 | +This section will go over the provided tools and any steps you need to follow in order to use them successfully, as well as a few general considerations. |
| 5 | + |
| 6 | +## Form Input Validation |
| 7 | + |
| 8 | +In order to create safe forms, `dotkernel/admin` makes use of [laminas/laminas-form](https://github.com/laminas/laminas-form) and [laminas/laminas-inputfilter](https://github.com/laminas/laminas-inputfilter). |
| 9 | +All shipped forms have their inputs validated, and it is strongly recommended any custom forms added also make use of input filters to validate user input. |
| 10 | + |
| 11 | +## Cross-Site Request Forgery Protection |
| 12 | + |
| 13 | +`dotkernel/admin` provides protection against CSRF attacks by using CSRF token creation and validation, available for all forms. |
| 14 | + |
| 15 | +All forms provided make use of CSRF token validation, but you must ensure to implement this step for any new forms you create. |
| 16 | + |
| 17 | +> This step is described in the [Set Up CSRF](../how-to/csrf.md) tutorial. |
| 18 | +
|
| 19 | +## Role-Based Access Control |
| 20 | + |
| 21 | +This project makes use of [dot-rbac-guard](https://github.com/dotkernel/dot-rbac-guard) and [dot-rbac](https://github.com/dotkernel/dot-rbac) to handle access control. |
| 22 | + |
| 23 | +The default modules have already been configured, but any custom functionality will require additional configuration to make sure it is protected. |
| 24 | +Update the configuration files of both these packages whenever you add new routes or roles. |
| 25 | + |
| 26 | +> This step is described in the [Configure Authorizations](../how-to/authorization.md) tutorial. |
| 27 | +
|
| 28 | +## Session and Cookie Settings |
| 29 | + |
| 30 | +Make sure your session cookie settings are properly set up for usage in production by reviewing the `config/autoload/session.global.php` file. |
| 31 | +Pay extra attention to the following keys, to make sure your desired values are set: |
| 32 | + |
| 33 | +- `session_config.cookie_httponly` |
| 34 | +- `session_config.cookie_samesite` |
| 35 | +- `session_config.cookie_secure` |
| 36 | + |
| 37 | +## Demo Credentials |
| 38 | + |
| 39 | +`Admin` ships with a demo admin account, with public identity and password. |
| 40 | +**Make sure to change or remove this demo account when going live.** |
| 41 | + |
| 42 | +## PHP Dependencies |
| 43 | + |
| 44 | +`dotkernel/admin` uses `composer` to handle PHP dependencies. |
| 45 | +In time, make sure to review any common vulnerabilities and exposures for your dependencies. |
| 46 | + |
| 47 | +> You may also keep an eye on the `dotkernel/admin` changelog for any updates relevant to your project. |
| 48 | +
|
| 49 | +## JavaScript Dependencies |
| 50 | + |
| 51 | +This project uses `npm` to handle JavaScript dependencies. |
| 52 | +Keep an eye on any vulnerabilities whenever using `npm` to install or update packages. |
| 53 | + |
| 54 | +> You may use the `npm audit` command to check for vulnerabilities in the current `node_modules`. |
| 55 | +
|
| 56 | +## General Considerations |
| 57 | + |
| 58 | +- `*.global.php` and `*.php.dist` configuration files are visible to the VCS, make sure **not** to include sensitive data in commits. |
| 59 | + - `*.local.php` configuration files are ignored by the VCS by default and are the recommended place for sensitive data such as API keys. |
| 60 | +- Review `config/autoload/cors.global.php` to ensure your application is accessible by your preferred origins. |
| 61 | +- Make sure the `development mode` is correctly set - **do not** enable `development mode` in a production environment. |
| 62 | + - You can use the following command to check the current status: |
| 63 | + |
| 64 | +```shell |
| 65 | +composer development-status |
| 66 | +``` |
| 67 | + |
| 68 | +- `Admin` ships with a [Laminas Continuous Integration](https://github.com/laminas/laminas-continuous-integration-action) GitHub Action, |
| 69 | +if you are using a public repository consider keeping it in your custom applications to ensure code quality. |
| 70 | + |
| 71 | +> Read more about using [Laminas Continuous Integration](https://getlaminas.org/blog/2024-08-05-using-laminas-continuous-integration.html). |
0 commit comments