Security Best Practices

While VelvetCMS Core provides a secure foundation, the security of your application also depends on how you build and configure it.

1. Environment Configuration #

• Debug Mode: Ensure APP_DEBUG is set to false in your production .env file. Debug mode can expose sensitive configuration and stack traces to users.

2. Input Validation #

Never trust user input. Always validate incoming data before processing it.

// Bad
$db->table('users')->insert(['email' => $_POST['email']]);

// Good
$email = filter_var($request->input('email'), FILTER_VALIDATE_EMAIL);
if (!$email) {
    throw new ValidationException('Invalid email');
}

3. File Uploads #

If your application accepts file uploads:

• Validate the file MIME type and extension.
• Rename uploaded files to random strings to prevent overwriting or guessing.
• Store uploads outside the public web root if possible, or use a dedicated storage service.
• Never allow execution of uploaded files (e.g., .php files).

4. Directory Permissions #

Ensure your web server has the minimum necessary permissions:

• storage/ and bootstrap/cache/ should be writable by the web server user.
• All other directories should be read-only.
• .env file should never be accessible via the web browser.

5. HTTPS #

Always serve your application over HTTPS. This encrypts traffic between the client and server, protecting passwords, session tokens, and other sensitive data.

In your .env file, set:

APP_URL=https://yourdomain.com

6. Rate Limiting #

Enable the throttle middleware on public-facing forms (login, contact, registration) to prevent brute-force attacks.

// config/http.php
'rate_limit' => [
    'max_attempts' => 10, // Global rate limit
    'decay_minutes' => 1,
],