Chapter 6. phpGraphy and Security

Table of Contents

Checking that my site is secure
Protecting sensitives directories
Security Best Practices
Strong password policy
Authentication mechanism
CookieValue
Reporting a security flaw

Checking that my site is secure

phpGraphy is composed of several directories, some of them must NOT being accessible from the evil Internet by browsing your website. There's actually four sensitives directories :

pictures/, conf/, logs/ and if using Flat File database data/

To check that there aren't accessible, you just need to use your web browser and add the directory name after the normal URL used to access phpGraphy, for example, if the URL to access your phpGraphy installation is http://myprovider.com/phpgraphy/, then just check the following urls :

http://myprovider.com/phpgraphy/pictures/

http://myprovider.com/phpgraphy/data/users.dat

http://myprovider.com/phpgraphy/conf/

http://myprovider.com/phpgraphy/logs/

You must either have a "404 Not Found" (this will be the case if you've moved your directories) or "Not allowed"

Warning

If you get a "403 Access denied" when requesting a directory, it could simply mean that the directory listing is prohibited but malicious people might still be able to guess URLs by also providing a filename such don't forget to test access to the file directly (ie: example above with users.dat)

If your site seem to or simply isn't secure, then please read the next section Protecting sensitives directories.