Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve and extend the security checklist #2565

Merged
merged 29 commits into from
Dec 5, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Make random_bytes command copyable
Co-authored-by: Adrien Dupuis <[email protected]>
glye and adriendupuis authored Dec 3, 2024
commit c414e93f2ae155f160adf3145c082ff87f02256a
Original file line number Diff line number Diff line change
@@ -151,14 +151,16 @@
`APP_SECRET` needs to be a strong, random, securely stored value.

- Don't use a default value like `ff6dc61a329dc96652bb092ec58981f7` or `ThisTokenIsNotSoSecretChangeIt`.
- The secret must be secured against unwanted access. Don't commit the value to a version control system. There are several ways of handling it, like with enviroment variables or files like `.env.local`. Files are considered more secure. If you store the secrets in files, make sure to add those files to `.gitignore` or similar, so they will never be committed to version control systems.

Check warning on line 154 in docs/infrastructure_and_maintenance/security/security_checklist.md

GitHub Actions / vale

[vale] docs/infrastructure_and_maintenance/security/security_checklist.md#L154

[Ibexa.UnclearAntecedent] Instead of 'There are', try starting this sentence with a specific subject and verb.
Raw output
{"message": "[Ibexa.UnclearAntecedent] Instead of 'There are', try starting this sentence with a specific subject and verb.", "location": {"path": "docs/infrastructure_and_maintenance/security/security_checklist.md", "range": {"start": {"line": 154, "column": 107}}}, "severity": "WARNING"}

Check warning on line 154 in docs/infrastructure_and_maintenance/security/security_checklist.md

GitHub Actions / vale

[vale] docs/infrastructure_and_maintenance/security/security_checklist.md#L154

[Ibexa.FutureTense] Use present tense instead of future.
Raw output
{"message": "[Ibexa.FutureTense] Use present tense instead of future.", "location": {"path": "docs/infrastructure_and_maintenance/security/security_checklist.md", "range": {"start": {"line": 154, "column": 339}}}, "severity": "WARNING"}
- The secret must be long enough. 32 characters is minimum, longer is better.

!!! tip

The following command generates a 64-character-long secure random value:

`php -r "print bin2hex(random_bytes(32));"`
```shell
php -r "print bin2hex(random_bytes(32));"
```

!!! note

@@ -284,7 +286,7 @@

### Secure access

Secure the database access with strong passwords, keys, firewall, encryption in transit, encryption at rest, and so on, as needed.

Check warning on line 289 in docs/infrastructure_and_maintenance/security/security_checklist.md

GitHub Actions / vale

[vale] docs/infrastructure_and_maintenance/security/security_checklist.md#L289

[Ibexa.Wordy] Remove 'and so on'. Try to use 'like' and provide examples instead.
Raw output
{"message": "[Ibexa.Wordy] Remove 'and so on'. Try to use 'like' and provide examples instead.", "location": {"path": "docs/infrastructure_and_maintenance/security/security_checklist.md", "range": {"start": {"line": 289, "column": 110}}}, "severity": "WARNING"}
When using [[= product_name_cloud =]], the provider handles this.

### Limit database rights