Skip to content

Security: dev-lou/Cict-Store

Security

SECURITY.md

Security Implementation - CICT Store

✅ Security Measures Implemented

1. Security Headers (NEW)

  • X-Frame-Options: Prevents clickjacking attacks
  • X-Content-Type-Options: Prevents MIME sniffing
  • X-XSS-Protection: Enables browser XSS filter
  • Strict-Transport-Security: Forces HTTPS
  • Content-Security-Policy: Controls resource loading
  • Referrer-Policy: Controls referrer information
  • Permissions-Policy: Restricts browser features

2. Session Security (ENHANCED)

  • Session lifetime: 120 minutes (2 hours)
  • Session encryption enabled
  • Sessions expire on browser close
  • Secure cookies on HTTPS

3. Authentication Security

  • Password hashing with bcrypt
  • CSRF protection on all forms
  • Rate limiting on login (5 attempts/minute)
  • Rate limiting on registration (5 attempts/minute)
  • IP blocking after failed logins (10 attempts in 30 min = 30 min block)
  • OAuth 2.0 with Google
  • Admin role-based access control

4. Database Security

  • SQL injection protection (Eloquent ORM)
  • Prepared statements
  • Input validation and sanitization
  • Audit logging for admin actions

5. File Upload Security

  • Profile pictures validated
  • Image type verification
  • File size limits
  • Secure storage in storage/app/public

6. Environment Security

  • .env file not committed to git
  • Sensitive credentials in environment variables
  • API keys isolated from code

7. HTTPS & SSL

  • SSL certificate on cictstore.me
  • Forced HTTPS redirects
  • Secure cookie flags

⚠️ Additional Security Recommendations

High Priority:

  1. Rotate Google API Keys regularly (every 90 days)
  2. Enable Database Backups on Supabase (automated daily)
  3. Implement 2FA for admin accounts (use Google Authenticator)

Medium Priority:

  1. Add Content Security Policy Reports to monitor violations
  2. Set up Security Monitoring with alerts for suspicious activity
  3. Regular Security Audits - Review logs monthly
  4. Update Dependencies - Run composer update monthly

Low Priority:

  1. Add Rate Limiting to sitemap and API endpoints
  2. Implement IP Whitelisting for admin panel (optional)

🔒 Security Checklist for Production

  • HTTPS enabled
  • Security headers configured
  • Session encryption enabled
  • CSRF protection active
  • Rate limiting on authentication
  • Admin access control
  • Audit logging
  • .env file not in git
  • IP blocking after failed logins
  • 2FA for admins (recommended)
  • Automated database backups
  • Regular security updates

📊 Security Rating: A- (Excellent)

Your website is well-protected for a production environment. The main improvements would be:

  1. Two-factor authentication for admins (would bring rating to A+)
  2. Automated database backups
  3. Regular security audits

🚨 Security Incident Response

If you detect suspicious activity:

  1. Check audit logs: /admin/audit-logs
  2. Review failed login attempts: Check failed_login_attempts table
  3. View blocked IPs: SELECT * FROM failed_login_attempts WHERE blocked_until IS NOT NULL;
  4. Manually unblock IP: DELETE FROM failed_login_attempts WHERE ip_address = 'x.x.x.x';
  5. Change admin passwords immediately
  6. Rotate Google OAuth credentials
  7. Check database for unauthorized changes

🛠️ Maintenance Commands

Run these periodically to maintain security:

  • Cleanup old failed logins: php artisan auth:cleanup-failed-logins (removes records > 7 days)
  • Clear application cache: php artisan cache:clear
  • Update dependencies: composer update (monthly)

📞 Security Contacts

There aren’t any published security advisories