96 lines
2.6 KiB
Markdown
96 lines
2.6 KiB
Markdown
# Security Recommendations for myCRM
|
|
|
|
## Implemented Security Measures
|
|
|
|
### 1. Authentication & Authorization
|
|
- ✅ Session-based authentication (stateless: false)
|
|
- ✅ Role-based access control (RBAC)
|
|
- ✅ API endpoints protected with `is_granted()` checks
|
|
- ✅ User can only edit own profile or requires ROLE_ADMIN
|
|
- ✅ System roles protected via SystemRoleProtection validator
|
|
|
|
### 2. Password Security
|
|
- ✅ Passwords hashed via Symfony PasswordHasher
|
|
- ✅ Plain passwords erased after hashing
|
|
- ✅ No passwords in serialization groups
|
|
|
|
### 3. XSS Prevention
|
|
- ✅ Vue.js automatic escaping
|
|
- ✅ No v-html or innerHTML usage
|
|
- ✅ All user input properly escaped
|
|
|
|
### 4. CSRF Protection
|
|
- ✅ Session-based API (SameSite cookies)
|
|
- ✅ credentials: 'same-origin' in fetch calls
|
|
|
|
## Recommended Additional Measures
|
|
|
|
### 1. Rate Limiting
|
|
Consider implementing rate limiting for API endpoints:
|
|
```bash
|
|
composer require symfony/rate-limiter
|
|
```
|
|
|
|
Configuration example in `config/packages/rate_limiter.yaml`:
|
|
```yaml
|
|
framework:
|
|
rate_limiter:
|
|
api_login:
|
|
policy: 'sliding_window'
|
|
limit: 5
|
|
interval: '1 minute'
|
|
api_general:
|
|
policy: 'fixed_window'
|
|
limit: 100
|
|
interval: '1 hour'
|
|
```
|
|
|
|
### 2. HTTPS Only (Production)
|
|
Ensure HTTPS is enforced in production:
|
|
```yaml
|
|
# config/packages/framework.yaml (when@prod)
|
|
framework:
|
|
session:
|
|
cookie_secure: true
|
|
cookie_samesite: 'strict'
|
|
```
|
|
|
|
### 3. Content Security Policy
|
|
Add CSP headers via `nelmio/security-bundle`:
|
|
```bash
|
|
composer require nelmio/security-bundle
|
|
```
|
|
|
|
### 4. Input Validation
|
|
- ✅ Email validation (Symfony built-in)
|
|
- ✅ Required field validation
|
|
- Consider adding: max length validation, sanitization
|
|
|
|
### 5. Audit Logging
|
|
Consider logging sensitive operations:
|
|
- User creation/deletion
|
|
- Role assignment changes
|
|
- Permission modifications
|
|
|
|
### 6. Database Security
|
|
- ✅ Prepared statements via Doctrine (SQL injection protected)
|
|
- ✅ Unique constraints on email/role+module combinations
|
|
- Consider: Database encryption for sensitive fields
|
|
|
|
### 7. Error Handling
|
|
Current: Errors exposed in dev mode
|
|
Production: Ensure debug mode is disabled and errors are logged securely
|
|
|
|
## Security Checklist for Deployment
|
|
|
|
- [ ] Set `APP_ENV=prod` and `APP_DEBUG=0`
|
|
- [ ] Enable HTTPS with valid SSL certificate
|
|
- [ ] Set secure session cookie settings
|
|
- [ ] Implement rate limiting
|
|
- [ ] Set up security headers (CSP, X-Frame-Options, etc.)
|
|
- [ ] Regular dependency updates (`composer update`)
|
|
- [ ] Database backups configured
|
|
- [ ] Error logging to secure location
|
|
- [ ] Monitor authentication failures
|
|
- [ ] Review and rotate secrets in `.env`
|