This section describes security considerations, as well as additional steps that may be taken to further secure a website.
By default the SilverStripe API endpoint is exposed publicly, to lock down access to the API endpoint you can add
the following to your
CWP\CWP\PageTypes\BasePage: api_access: false
User login considerations
By default the username of anyone who logs into the website is saved in their browser's autocomplete cache when logging into a website. This username, by default, is the email address. If necessary, the autocompletion by the browser can be disabled on the 'Email' field by setting
SilverStripe\Security\Security.remember_username to false.
This is done in your
app/_config/config.yml file, by adding the following:
SilverStripe\Security\Security: remember_username: false
Note that if a user has already saved their username prior to changing this value, it may be necessary to reset their browser autocomplete history before this will take effect.
This setting does not affect the behaviour of the browser's built in password manager or third-party password manager auto-filling the stored credentials.
Disabling the browser autocomplete functionality does make the email field more susceptible to malicious keyloggers capturing the email address/username.
The password field has autocomplete from the browser's autocomplete cache disabled by default for security reasons.
User session expiration
After logging in, any user will remain in an active state as long as there is no extended period of inactivity.
In order to reduce the risk that active browser sessions may be exploited, it may be necessary
to reduce the timeout period for each session. By default, active sessions will expire after 24 minutes of inactivity.
This value may be adjusted by setting the
SilverStripe\Control\Session.timeout value (in units of seconds).
For instance, to set the session timeout to 10 minutes add the following to your
SilverStripe\Control\Session: timeout: 600
Note: Setting this value to zero will instead terminate the session when the user closes their browser window, but this does not enforce any maximum session duration.
Note: This value adjusts how long a user's browser remembers the session. To adjust how long the server remembers
sessions, you will have to adjust your
php.ini configuration setting
session.gc_maxlifetime. More information can be
found at php's session configuration page.
A lifetime of 24 minutes matches the default timeout configuration on CWP.
Saved user logins
Users have the option to check a box during login labeled "Remember me next time?" If checked, that user will remain logged into the site even after the browser has been closed, and will be automatically logged in when they come back at a later time, up to a maximum period of 90 days.
If the computer used is not physically secured, it may be necessary to disable this feature to prevent
subsequent users from automatically logging in and impersonating someone else. This is done by setting
SilverStripe\Security\Security.autologin_enabled setting to false.
app/_config/config.yml file, add the following:
SilverStripe\Security\Security: autologin_enabled: false
If the browser is closed, and the session has expired, subsequent attempts to access secured content will require a username and password.
File upload restrictions
SilverStripe\Assets\File.allowed_extensions config value specifies the list of all file types allowed to be saved into
the assets folder. By default this includes file types such as html, and in some cases it may represent a
security risk to allow these file types. See the
OWASP wiki on File Upload for details.
Individual extensions may be added using this configuration in your
SilverStripe\Assets\File: allowed_extensions: - xhtml - xml
From CWP 2.1 onwards, you can also remove extensions:
SilverStripe\Assets\File: allowed_extensions: xml: false
Uploaded files have their extension checked against known MIME types in the
HTTP.MimeTypes config setting.
This basically means the file contents are checked to ensure the extension matches. For example, if you rename an image
test.txt and attempt to upload it, the file will be rejected.
Please see technical docs for adding extensions for more information on allowing new file extensions and MIME types.
If it's necessary to require secure authentication to certain areas of the front end (such as password protected forms or information) then there are some configuration changes that must be made.
By default all attempts to access secure pages will redirect the user to an SSL protected domain specific to that environment (e.g. mystack.cwp.govt.nz). This is in place to prevent users wishing to access the CMS having to log in for each individual domain, as well as the dependency on each domain having its own SSL certificate.
In the case that the user wishes to access content on the front-end of a specific domain, however, it's necessary that the user logs into that one, rather than the designated secure login domain.
To disable the redirection add the following to
--- Name: mysitesecurity After: '#cwpsslredirectdomain' --- SilverStripe\Core\Injector\Injector: SilverStripe\Control\Middleware\CanonicalURLMiddleware: properties: ForceSSLDomain: false
In this case it is necessary to ensure that an SSL certificate has been purchased and configured for each domain. If you are unsure, contact the CWP Service Desk.
Alternatively, you can completely disable SSL redirection by setting the
CanonicalURLMiddleware.ForceSSL property to false via Injector configuration (as in the example above). However, any data accessed or submitted by users would be unencrypted.
HTTP request proxies and filtering
Whitelist embedded resource domains
The SilverStripe CMS allows CMS users to embed external content such as YouTube or Vimeo videos in page content. CWP recommends that you configure a whitelist of allowed domains to embed content from. If you aren't using this feature then we recommend you configure the domain whitelist anyway.
Please ensure you use the HTTPS protocol on domains wherever possible.
--- Name: mysiteembedproviders --- SilverStripe\AssetAdmin\Forms\RemoteFileFormFactory: # Disable http protocol, prefer https fileurl_scheme_blacklist: - http fileurl_port_blacklist: - 80 # Specify a whitelist of domains to allow embedded resources from fileurl_domain_whitelist: - youtube.com - vimeo.com - videoprovider.cwp.govt.nz # Optionally, blacklist specific domains fileurl_domain_blacklist: - knowndangerousdomain.com