Issue16 #24
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| # Security Observations | ||
|
|
||
| `dotkernel/admin` provides all necessary tools to implement safe applications, however you will need to manually make use of some of them. | ||
| This section will go over the provided tools and any steps you need to follow in order to use them successfully, as well as a few general considerations. | ||
|
|
||
| ## Form Input Validation | ||
|
|
||
| In order to create safe forms, `dotkernel/admin` makes use of [laminas/laminas-form](https://github.com/laminas/laminas-form) and [laminas/laminas-inputfilter](https://github.com/laminas/laminas-inputfilter). | ||
| All shipped forms have their inputs validated, and it is strongly recommended any custom forms added also make use of input filters to validate user input. | ||
|
|
||
| ## Cross-Site Request Forgery Protection | ||
|
|
||
| `dotkernel/admin` provides protection against CSRF attacks by using CSRF token creation and validation, available for all forms. | ||
|
|
||
| All forms provided make use of CSRF token validation, but you must ensure to implement this step for any new forms you create. | ||
|
|
||
| > This step is described in the [Set Up CSRF](../how-to/csrf.md) tutorial. | ||
| ## Role-Based Access Control | ||
|
|
||
| This project makes use of [dot-rbac-guard](https://github.com/dotkernel/dot-rbac-guard) and [dot-rbac](https://github.com/dotkernel/dot-rbac) to handle access control. | ||
|
|
||
| The default modules have already been configured, but any custom functionality will require additional configuration to make sure it is protected. | ||
| Update the configuration files of both these packages whenever you add new routes or roles. | ||
|
|
||
| > This step is described in the [Configure Authorizations](../how-to/authorization.md) tutorial. | ||
| ## Session and Cookie Settings | ||
|
|
||
| Make sure your session cookie settings are properly set up for usage in production by reviewing the `config/autoload/session.global.php` file. | ||
| Pay extra attention to the following keys, to make sure your desired values are set: | ||
|
|
||
| - `session_config.cookie_httponly` | ||
| - `session_config.cookie_samesite` | ||
| - `session_config.cookie_secure` | ||
|
|
||
| ## Demo Credentials | ||
|
|
||
| `Admin` ships with a demo admin account, with public identity and password. | ||
| **Make sure to change or remove this demo account when going live.** | ||
|
|
||
| ## PHP Dependencies | ||
|
|
||
| `dotkernel/admin` uses `composer` to handle PHP dependencies. | ||
| In time, make sure to review any common vulnerabilities and exposures for your dependencies. | ||
|
|
||
| > You may also keep an eye on the `dotkernel/admin` changelog for any updates relevant to your project. | ||
| ## JavaScript Dependencies | ||
|
|
||
| This project uses `npm` to handle JavaScript dependencies. | ||
| Keep an eye on any vulnerabilities whenever using `npm` to install or update packages. | ||
|
|
||
| > You may use the `npm audit` command to check for vulnerabilities in the current `node_modules`. | ||
| ## General Considerations | ||
|
|
||
| - `*.global.php` and `*.php.dist` configuration files are visible to the VCS, make sure **not** to include sensitive data in commits. | ||
| - `*.local.php` configuration files are ignored by the VCS by default and are the recommended place for sensitive data such as API keys. | ||
| - Review `config/autoload/cors.global.php` to ensure your application is accessible by your preferred origins. | ||
| - Make sure the `development mode` is correctly set - **do not** enable `development mode` in a production environment. | ||
| - You can use the following command to check the current status: | ||
|
|
||
| ```shell | ||
| composer development-status | ||
| ``` | ||
|
|
||
| - `Admin` ships with a `laminas/laminas-ci` integration, consider keeping it in your custom applications to ensure code quality. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add a link to lamians-ci , or to the article relatd to it from getlaminas.org
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no such repo
laminas/laminas-ci.We should probably add the reference to https://github.com/laminas/laminas-continuous-integration because that is the package used in our repo: https://github.com/dotkernel/admin/blob/6.0/.github/workflows/continuous-integration.yml#L11