Security measures for Engineblock
November 29, 2023 ยท View on GitHub
HTTP Headers
HTTP Headers are set not by Engineblock itself so the deployer needs to set these in the webserver that serves the EB requests.
We recommend at least:
- Strict-Transport-Security: max-age=
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Content-Security-Policy: TODO
PHP settings
We recommend to set disable_functions to:
exec,passthru,shell_exec,system,popen,curl_multi_exec,show_source,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority`
This is of relevance specifically to limit the scope of what Attribute Manipulations (which are PHP code) are able to accomplish.