root/myCRM
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
myCRM/SECURITY.md

2.6 KiB
Raw Blame History

Security Recommendations for myCRM

Implemented Security Measures

1. Authentication & Authorization

  • Session-based authentication (stateless: false)
  • Role-based access control (RBAC)
  • API endpoints protected with is_granted() checks
  • User can only edit own profile or requires ROLE_ADMIN
  • System roles protected via SystemRoleProtection validator

2. Password Security

  • Passwords hashed via Symfony PasswordHasher
  • Plain passwords erased after hashing
  • No passwords in serialization groups

3. XSS Prevention

  • Vue.js automatic escaping
  • No v-html or innerHTML usage
  • All user input properly escaped

4. CSRF Protection

  • Session-based API (SameSite cookies)
  • credentials: 'same-origin' in fetch calls

Recommended Additional Measures

1. Rate Limiting

Consider implementing rate limiting for API endpoints:

composer require symfony/rate-limiter

Configuration example in config/packages/rate_limiter.yaml:

framework:
    rate_limiter:
        api_login:
            policy: 'sliding_window'
            limit: 5
            interval: '1 minute'
        api_general:
            policy: 'fixed_window'
            limit: 100
            interval: '1 hour'

2. HTTPS Only (Production)

Ensure HTTPS is enforced in production:

# config/packages/framework.yaml (when@prod)
framework:
    session:
        cookie_secure: true
        cookie_samesite: 'strict'

3. Content Security Policy

Add CSP headers via nelmio/security-bundle:

composer require nelmio/security-bundle

4. Input Validation

  • Email validation (Symfony built-in)
  • Required field validation
  • Consider adding: max length validation, sanitization

5. Audit Logging

Consider logging sensitive operations:

  • User creation/deletion
  • Role assignment changes
  • Permission modifications

6. Database Security

  • Prepared statements via Doctrine (SQL injection protected)
  • Unique constraints on email/role+module combinations
  • Consider: Database encryption for sensitive fields

7. Error Handling

Current: Errors exposed in dev mode Production: Ensure debug mode is disabled and errors are logged securely

Security Checklist for Deployment

  • Set APP_ENV=prod and APP_DEBUG=0
  • Enable HTTPS with valid SSL certificate
  • Set secure session cookie settings
  • Implement rate limiting
  • Set up security headers (CSP, X-Frame-Options, etc.)
  • Regular dependency updates (composer update)
  • Database backups configured
  • Error logging to secure location
  • Monitor authentication failures
  • Review and rotate secrets in .env