Appearance

Security Best Practices

This guide covers security best practices for protecting your OmniSuite CMS installation, including server security, application security, user security, and data protection.

Table of Contents

  1. Overview
  2. Server Security
  3. Application Security
  4. User Security
  5. Data Protection
  6. SSL/HTTPS Setup
  7. Security Updates

Overview

Why Security Matters

  • ✅ Protect user data
  • ✅ Prevent unauthorized access
  • ✅ Maintain trust
  • ✅ Comply with regulations
  • ✅ Prevent attacks

Security Layers

Multiple Layers:

  1. Server security
  2. Application security
  3. User security
  4. Data protection
  5. Network security

Server Security

Server Hardening

Update System

Regular Updates:

bash
# Ubuntu/Debian
sudo apt update && sudo apt upgrade -y

# CentOS/RHEL
sudo yum update -y

Firewall Configuration

UFW (Ubuntu/Debian):

bash
sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw enable

Firewalld (CentOS/RHEL):

bash
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

SSH Security

Disable Root Login:

bash
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no  # Use SSH keys

Use SSH Keys:

  • Generate SSH key pair
  • Add public key to server
  • Disable password authentication

File Permissions

Correct Permissions

Directories:

bash
find . -type d -exec chmod 755 {} \;

Files:

bash
find . -type f -exec chmod 644 {} \;

Writable Directories:

bash
chmod -R 775 storage bootstrap/cache

Sensitive Files:

bash
chmod 600 .env

Application Security

Environment Configuration

.env File Security

Protect .env:

  • Never commit to version control
  • Restrict file permissions (600)
  • Use strong passwords
  • Rotate keys regularly

Application Key

Generate Key:

bash
php artisan key:generate

Keep Secret:

  • Never expose in code
  • Don't share publicly
  • Rotate if compromised

Password Security

Strong Passwords

Requirements:

  • Minimum 8 characters
  • Mix of uppercase, lowercase, numbers, symbols
  • No common words
  • Unique per account

Password Hashing

Laravel Default:

  • Uses bcrypt
  • Automatically hashed
  • Salt included

SQL Injection Prevention

Laravel Protection:

  • Uses prepared statements
  • Query builder protection
  • Eloquent ORM protection

Best Practices:

  • Always use query builder
  • Never concatenate SQL
  • Validate input
  • Use parameter binding

XSS Protection

Laravel Protection:

  • Automatic escaping
  • Blade template protection
  • CSRF protection

Best Practices:

  • Escape output
  • Use Blade syntax
  • Validate input
  • Sanitize user content

CSRF Protection

Laravel CSRF:

  • Automatic token generation
  • Form token validation
  • API token protection

Best Practices:

  • Always include tokens
  • Verify on POST requests
  • Use middleware

User Security

Authentication

Strong Authentication

Requirements:

  • Strong passwords
  • Email verification
  • Two-factor authentication (if available)
  • Account lockout

Session Security

Configuration:

  • Secure session cookies
  • HTTP-only cookies
  • Same-site cookies
  • Session timeout

Authorization

Role-Based Access

Best Practices:

  • Principle of least privilege
  • Regular permission review
  • Remove unused permissions
  • Monitor access

User Permissions

Management:

  • Assign appropriate roles
  • Review regularly
  • Remove when no longer needed
  • Audit access

Account Security

Account Lockout

Configuration:

  • Max login attempts
  • Lockout duration
  • Automatic unlock
  • Notification

Password Policies

Enforce:

  • Minimum length
  • Complexity requirements
  • Password expiration
  • Password history

Data Protection

Data Encryption

At Rest

Database:

  • Encrypt sensitive fields
  • Use database encryption
  • Secure backups

Files:

  • Encrypt sensitive files
  • Secure storage
  • Access control

In Transit

HTTPS:

  • Always use HTTPS
  • SSL/TLS encryption
  • Secure connections

Data Backup Security

Backup Security:

  • Encrypt backups
  • Secure storage
  • Access control
  • Regular testing

Privacy Protection

User Data

Protection:

  • Collect only necessary data
  • Secure storage
  • Access control
  • Data retention policies

GDPR Compliance

Requirements:

  • User consent
  • Data access rights
  • Data deletion
  • Privacy policy

SSL/HTTPS Setup

Why SSL is Important

  • ✅ Encrypts data transmission
  • ✅ Builds user trust
  • ✅ Required for payments
  • ✅ Improves SEO
  • ✅ Prevents man-in-the-middle attacks

Obtaining SSL Certificate

Let's Encrypt (Free)

Install Certbot:

bash
# Ubuntu/Debian
sudo apt install certbot python3-certbot-nginx

# CentOS/RHEL
sudo yum install certbot python3-certbot-nginx

Obtain Certificate:

bash
# Nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Apache
sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

Auto-Renewal:

bash
sudo certbot renew --dry-run

Force HTTPS

Application Configuration

.env:

env
APP_URL=https://yourdomain.com

Middleware:

  • Force HTTPS middleware
  • Redirect HTTP to HTTPS
  • Secure cookies

Security Updates

Regular Updates

Application Updates

Laravel:

bash
composer update
php artisan migrate

Dependencies:

  • Update regularly
  • Check for vulnerabilities
  • Test before production

System Updates

Server:

  • Update OS regularly
  • Update PHP
  • Update web server
  • Update database

Security Monitoring

Log Monitoring

Monitor:

  • Access logs
  • Error logs
  • Security logs
  • Application logs

Vulnerability Scanning

Tools:

  • Security scanners
  • Dependency checkers
  • Penetration testing
  • Regular audits

Incident Response

Response Plan

  1. Identify:

    • Detect security issue
    • Assess impact
    • Contain threat

  2. Respond:

    • Fix vulnerability
    • Restore services
    • Notify users if needed

  3. Recover:

    • Verify fix
    • Monitor for issues
    • Document incident

Best Practices

General Security

  1. Keep Updated:

    • Regular updates
    • Security patches
    • Dependency updates

  2. Use Strong Credentials:

    • Complex passwords
    • Unique per account
    • Rotate regularly

  3. Limit Access:

    • Principle of least privilege
    • Remove unused access
    • Regular review

  4. Monitor Activity:

    • Log monitoring
    • Anomaly detection
    • Regular audits

  5. Backup Regularly:

    • Automated backups
    • Test restores
    • Secure storage

Troubleshooting

Security Issues

Solutions:

  1. Review security logs
  2. Check permissions
  3. Verify configurations
  4. Update software
  5. Consult security experts

Last Updated: [Date will be updated during final review]

Released under the MIT License.

Copyright © 2024 OmniSuite CMS