Security Overview

VelvetCMS Core is designed with security as a first-class citizen. We believe that security should be easy to implement and hard to bypass.

Core Security Features #

1. XSS Protection (Cross-Site Scripting) #

The Velvet Template Engine automatically escapes all output by default. When you use {{ $variable }} in your templates, special characters are converted to HTML entities, preventing malicious scripts from executing.

To output raw HTML (only do this for trusted content!), use the raw syntax: {!! $variable !!}.

2. CSRF Protection (Cross-Site Request Forgery) #

VelvetCMS includes built-in CSRF protection for all state-changing HTTP requests (POST, PUT, DELETE, PATCH). See the CSRF Documentation for details.

3. SQL Injection Prevention #

The Query Builder uses PDO prepared statements for all bindings. This means your application is automatically protected against SQL injection attacks when using the builder methods (where, insert, update, etc.).

Never inject user input directly into raw SQL strings. Always use bindings.

4. Rate Limiting #

To prevent abuse and Denial of Service (DoS) attacks, VelvetCMS includes a ThrottleRequests middleware. This limits the number of requests a single IP address can make within a given timeframe.

5. Secure Headers #

VelvetCMS sets secure default headers for all responses, including:

• X-Content-Type-Options: nosniff
• X-Frame-Options: SAMEORIGIN
• X-XSS-Protection: 1; mode=block

Reporting Vulnerabilities #

If you discover a security vulnerability in VelvetCMS, please do not open a public issue. Email us at security@velvetcms.com. We will address the issue promptly.