Highest Voted 'security' Questions - Craft CMS Stack Exchange

5

votes

1 answer

How do _you_ protect input against XSS? ("HtmlPurifier"?)

I've been playing with Craft for days now and love it. I'm new to Yii but I think I got the hang of everything and how you develop a Craft Plugin. My question is regarding security on input post/get vars. Reading Yii's documentation is seems the…

security

asked Jul 02 '14 at 19:33

naboovalley

2,844
1
16
26

5

votes

1 answer

Content Security Policy CSP

On Craft 2.x, is it a known limitation that we must allow unsafe-inline for script-src in the Content-Security-Policy? My admin dashboard fails to load when I don't allow it. ...Trying to get a high grade on Mozilla Observatory :)

security

asked Nov 06 '17 at 05:35

bbeecher

163
3

4

votes

1 answer

Removing x-powered-by and changing cookies names for security?

I noticed that anyone interested in finding out what software is used for my website could find that out very easily just by looking at the headers and cookies received by craft. You can find two headers that will expose craft: "Set-Cookie":…

security

asked Jan 23 '16 at 17:40

Samuel E.

239
1
7

3

votes

2 answers

Is it safe to have PHP files in the public directory of a craft cms website?

I just ‘discovered’ that the developer on my client’s craft website has been migrating his old landing pages to the new setup by cramming the older static pages into the public directory instead of using the CMS. There are a lot of PHP files there…

security

asked Aug 03 '16 at 02:52

Amit Erandole

338
2
12

3

votes

2 answers

Is it possible to restrict access to a page based on a visitor's country?

Is it possible to restrict access to a page based on a visitor's country? For instance, only users in the US can view the FAQ page? Thanks!

security

asked Oct 12 '15 at 23:56

Jeremy P

51
3

2

votes

1 answer

RCE in CVE-2023-418925: Can it be exploited without being logged into Craft?

Does anyone know if the RCE vulnerability in CVE-2023-418925 (Github link) can be exploited without being logged into Craft? I have a couple of smaller sites that I'd rather not update right now.

security

asked Sep 20 '23 at 05:39

Magnus

171
1
7

2

votes

1 answer

Temporarily access to an entry

I have an entry that is currently password protected and I am looking for a way to give access to this entry to non-craft users temporarily access either by a token or something else. Anyone know how I can accomplish this?

security

asked Jan 16 '18 at 14:57

jpoiri

231
1
5

2

votes

1 answer

Does Craft CMS support 'encryption at rest' / 'data at rest' encryption?

Does Craft CMS support 'encryption at rest' / 'data at rest' encryption? I've looked here, here, and here - but can't find any info on this. Explain like I'm 5. Thanks.

security

asked Jan 10 '18 at 02:49

Adam George

289
1
11

1

vote

1 answer

Can we use Active Directory for Access Control?

We have a quite elaborate set up for Active Directory, and would like to use this to provision & deprovision access to the Control Panel. Would this be possible in Craft core or in a plugin? Are there hooks to use alternative access methods?

security

asked Nov 17 '15 at 12:32

Steven

133
4

0

votes

1 answer

Protected Web Page

Is there a way to build a protected webpage within craft. Something that can only be accessed if you have the actual link. Something that you can not click to through the website. The point is to have a webpage that only the employees can access.…

security

asked Jan 28 '15 at 20:33

Dillon van der Wal

1

Questions tagged [security]