So this is my first time deploying a Yii web app and I’m also a bit new to web developing. Maybe you guys can help me out with a security checklist for Yii web apps. Lary Ulman’s the yii book talks about security and secure practices but it doesn’t really have a section on web app security itself and especially on going live. The ebook covers a wide range of topic and it’s hard to keep track of the security measures to employ. I haven’t seen any comprehensive security thread here either.
Anyway, I have this CRM program that I’ve developed for an online business and I’m very concerned with it’s security. Although I have done all the basic secure practices, I’m not sure if it’s good enough or if I missed anything. A checklist for going live would really be helpful on this project and all future Yii web apps I’ll be building.
Getting a bit more specific, here are the security measures I’ve employed:
Programming practices for avoiding SQL injections, XSS attacks
Proper password storage using bcrypt
Set configuration files to live
Made sure to use https on all pages
Yii’s user access control
And here are some of my concerns:
Can my app’s communication to the database server be listened on?
Should I have the program hosted on it’s own account or is it okay to have it with other websites in a single account but different domain names?
Is it okay to have it in a shared hosting account?
Hosting server configurations?
I guess what I’m more concerned with this project is security against outside attacks, but your input doesn’t have to address the specifics I included here, having that checklist would be enough and I’d look into each one on the list if I have it in place.
That’s going to be dependent on your hosting environment. It’s unlikely that requests between the web server and database server will go out on the web though, if that’s what you’re asking.
If you’re particularly concerned about security, you should probably consider running it in its own VM. The security and isolation of shared environments is very dependent upon how they’re configured as far as I understand.
I don’t have much experience of securing servers. You should really consult an expert if you want to be sure that your data will be protected.
Hey, sorry for the very late reply, I’ve been looking everywhere and I finally got back here.
Yes, I have enabled CSRF protection.
It’s good to here that communication between the web server and database server is not public.
Of course professional help would be the ideal solution to this problem but I’m not really in any position to hire pros for this that’s why I need to figure out how to do it. In any case, I think what my aim for posting here is that I want to know how the top programmers that use Yii are keeping their web apps secure and how they keep it that way.
I have been looking for at least a checklist on deploying Yii web applications. I haven’t found any yet.
*Validate ALL user input!!!! Can’t stress this enough. Always assume a user is going to mess something up! All it takes is one to do so.
*Make sure you files aren’t accessible to people who they shouldn’t be able to see them. I.e. if a user needs to be logged in to download something and you have it under yourdomain.com/files/file.pdf then someone can just go to that url and get it.
You can do a script that only allows the system to call files in the root directory and not allow anyone to access them directly via url
*Move your protected folder outside of your webroot. How to do this
*You’re using bcrypt for the password which is good. But make sure you use some sort of password validator that ensures a user just doesn’t use a crapy passwrod like “password1!”
*limit the number of failed logins i.e. if a username has 5 failed login then put a 15min delay on that name.
Or you could do something like 5 failed login attempts show Captcha.
Be careful not to blcok by ip bc mutiple users could be on the same ip and you would block everyone at that location.
*Make sure you’re not ever storing sensitive information in session / cookies
*Use VERY Strong passwords for you database and make the username something unique too
*not really security but make sure you have a way to prevent double submitting of forms. I.e. if a user hits refresh and it resubmits the form. One way is to do a redirect after all successful saves; another would be to use a token to make sure the from is only submitted once.
*NEVER have a “super admin” role. A user that is “super admin” should have all roles assigned to them. There shouldn’t be a single role that can do everything in the App. i.e. if i were to hijack your “super admin” role i could go delete everything. If i were to hijack a “author” role i could only delete and add post for example.
Use session timeouts!!! What if a admin logs in and forgets to logout on a public computer…You could only implement it for admins or all. i don’t know what your app is.
*Implement a force change password after x days. Depends on the type of app. if this makes sense