Security

We put a lot of thoughts into the amount of security that would be adequate for most microsites. There are a lot of security issues, that do not come via php and that blaze is not able to fix completely. That's why we won't tell you, that blaze will solve all security related problems, but at least there are some.

Some of the issues we tried to address while keeping simplicity in mind:

Session fixation

blaze does not allow expired sessions and will regenerate session ids frequently. You still have to configure your server correctly, but thats a whole different story.

SQL Injection

blaze's database handler escapes all data you may insert. So this should not be a problem.

Sourcecode protection

blaze will protect your sourcecode. In case there is an error (and you properly disabled debug mode) blaze will completely shut down the output and send error messages to you via email.

Configuration files

All of blaze's files and folders are protected from public eyes as long as you leave all .htaccess directives in place.

Clickjacking

blaze will try to prevent clickjacking. You will not be able to load your website via a frame or iframe as long as the site which is loading does not reside under the same domain name. You may allow framing by using the allowFraming() method which is part of the output component. Read the component documentation to learn more.

Other issues that blaze cannot cover

CSRF

CSRF comes into play whenever you work with user inputs. For the moment, we decided to leave this to you as a developer. There will be a form builder plugin which will include validation and CSRF protection - stay tuned.

XSS

Cross site scripting is still mainly a JavaScript error. Just make sure to code your Javascript properly and don't execute anything which is potentially dangerous.

All the other things

When it comes to security, there is a lot to learn and know. Make sure to be up to date.


Other security related things

Use SSL

It is strongly recommended to run all sorts of website with ssl protection. Refer to your webhosting provider to learn how to do so. blaze is ready for it.

Users

You will find a 'Security' section in the backend. You may change usernames and passwords here.

We decided to store usernames and passwords in a readable way as they are only accessible with access to the raw files. Anyone who got to those files will have access to your raw sourcecode anyway.

If you want to have a higher level of security, feel free to hack the blaze auth component in order to use hashs instead of readable text. It should be rather easy to do.

Usernames and passwords may consist of anything you like. When changing them in the config file, be aware of JSON related requirements. Read more about this in the config file section.

Frontend access to sensible data

blaze comes with a fine tuned .htaccess file. No sensible data is exposed to the public. You may of course tweak the settings to fit your needs in case there is anything you have to adjust.

Password protection on frontend pages

You may want to use the built-in login for frontend pages. No problem, blaze is prepared for that. Take a look at the authentication component that comes with blaze.