Skip to content

Issue16 #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arhimede merged 6 commits into from
Oct 6, 2025
Merged

Issue16 #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3fa866c
initial security section
Jurj-Bogdan Sep 30, 2025
cd3e2bd
linting fix
Jurj-Bogdan Sep 30, 2025
27c6166
requested changes
Jurj-Bogdan Oct 3, 2025
1d7dc82
wording and article change
Jurj-Bogdan Oct 3, 2025
36198ec
note regarding gh action
Jurj-Bogdan Oct 3, 2025
294184b
page title change
Jurj-Bogdan Oct 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions docs/book/v6/security/basic-security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
# Basic Security

`dotkernel/admin` provides all necessary tools to implement safe applications, however you will need to manually make use of some of them.
This section will go over the provided tools and any steps you need to follow in order to use them successfully, as well as a few general considerations.

## Form Input Validation

In order to create safe forms, `dotkernel/admin` makes use of [laminas/laminas-form](https://github.com/laminas/laminas-form) and [laminas/laminas-inputfilter](https://github.com/laminas/laminas-inputfilter).
All shipped forms have their inputs validated, and it is strongly recommended any custom forms added also make use of input filters to validate user input.

## Cross-Site Request Forgery Protection

`dotkernel/admin` provides protection against CSRF attacks by using CSRF token creation and validation, available for all forms.

All forms provided make use of CSRF token validation, but you must ensure to implement this step for any new forms you create.

> This step is described in the [Set Up CSRF](../how-to/csrf.md) tutorial.

## Role-Based Access Control

This project makes use of [dot-rbac-guard](https://github.com/dotkernel/dot-rbac-guard) and [dot-rbac](https://github.com/dotkernel/dot-rbac) to handle access control.

The default modules have already been configured, but any custom functionality will require additional configuration to make sure it is protected.
Update the configuration files of both these packages whenever you add new routes or roles.

> This step is described in the [Configure Authorizations](../how-to/authorization.md) tutorial.

## Session and Cookie Settings

Make sure your session cookie settings are properly set up for usage in production by reviewing the `config/autoload/session.global.php` file.
Pay extra attention to the following keys, to make sure your desired values are set:

- `session_config.cookie_httponly`
- `session_config.cookie_samesite`
- `session_config.cookie_secure`

## Demo Credentials

`Admin` ships with a demo admin account, with public identity and password.
**Make sure to change or remove this demo account when going live.**

## PHP Dependencies

`dotkernel/admin` uses `composer` to handle PHP dependencies.
In time, make sure to review any common vulnerabilities and exposures for your dependencies.

> You may also keep an eye on the `dotkernel/admin` changelog for any updates relevant to your project.

## JavaScript Dependencies

This project uses `npm` to handle JavaScript dependencies.
Keep an eye on any vulnerabilities whenever using `npm` to install or update packages.

> You may use the `npm audit` command to check for vulnerabilities in the current `node_modules`.

## General Considerations

- `*.global.php` and `*.php.dist` configuration files are visible to the VCS, make sure **not** to include sensitive data in commits.
- `*.local.php` configuration files are ignored by the VCS by default and are the recommended place for sensitive data such as API keys.
- Review `config/autoload/cors.global.php` to ensure your application is accessible by your preferred origins.
- Make sure the `development mode` is correctly set - **do not** enable `development mode` in a production environment.
- You can use the following command to check the current status:

```shell
composer development-status
```

- `Admin` ships with a [Laminas Continuous Integration](https://github.com/laminas/laminas-continuous-integration-action) GitHub Action,
if you are using a public repository consider keeping it in your custom applications to ensure code quality.

> Read more about using [Laminas Continuous Integration](https://getlaminas.org/blog/2024-08-05-using-laminas-continuous-integration.html).
2 changes: 2 additions & 0 deletions mkdocs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ nav:
- "Use NPM Commands": v6/how-to/npm_commands.md
- "Inject Dependencies": v6/how-to/dependency-injection.md
- "Set Up CSRF": v6/how-to/csrf.md
- Security:
- "Basic Security": v6/security/basic-security.md
- Tutorials:
- "Creating a book module using DotMaker": v6/tutorials/create-book-module-via-dot-maker.md
site_name: admin
Expand Down