In today's world, security is an important element especially when you're hosting applications / websites. Anything on the internet is prone to attacks and no software is 100% secure. Our team has taken all this into mind and designed Open-School to have additional security features for maximum protection of your data. Following are the features that have been currently implemented:
- SSL compatible: Single Domain SSL Certificate can be applied to Open-School installations. All assets are pulled out through https. No files are pulled outside of Open-School Source.
- Salted Hashes and MD5 Encryption: Sensitive Information like passwords are encrypted using MD5 and additional Salt Keys. Names of downloadable files are hashed with additional salt keys.
- CSRF tokens: Open-School Uses CSRF tokens to communicate between pages and URLs thus preventing CSRF attacks.
- Html purifiers (XSS): Open-School uses HTML purifiers, which help prevent cross site scripting attacks which is a common way used to attack websites.
- AJAX Call Restriction: Using only POST requests for remove/delete requests.
- SQL Injection: Open-School uses strong Yii Active records, a PDO abstract layer for interacting with databases. Magic quotes – by using php 5.5 and automatically escapes \ backslashes – SQL injection
- Validations and User Rights: Open-School Validates all input data types and performs authentication checks on every action. CAPTCHA can be optionally added for preventing brute force attacks.
Yii - The Secure, Stable and Tested Php Framework:
Open-School is written completely upon the popular framework Yii, known for its scalability and performance. Open-School uses Yii’s database wrapper, Access Control and other security features available for securing the production version of the application.
Additional settings for securing your server
These settings can be checked with your server administrator.
- Running the application in production mode.
- Having the directory listing disabled on the server to prevent information leaks.
- Upgrading outdated server softwares like phpMyAdmin, Apache etc.
- Hide error handling information like stack traces etc.