Is storing username and password in config/common.neon secure?
- Cupara
- Member | 90
Is it secure to store a username and password in the config/common.neon file without the password being hashed?
I ask as I'm following the Create Your First Application! tutorial and I'm on the last section of Authentication. I'll still follow it but I'm wondering if and how I could implement a user system so that the passwords are stored in the database and they are hashed?
Thanks
- m.brecher
- Generous Backer | 872
Yes it is absolutely secure. But what is very important from the point of security view is restrict http access to the root directory of the application !!! Http access must be allowed only to the /www subdirectory, where are static css, js, jpg and other files. Than database credetials are safe.
- Cupara
- Member | 90
@m.brecher is there a way to use .htaccess to restrict access to all folders except www folder and to use .htaccess to have it so when someone loads serenitydev.xyz it automatically loads from the www folder or do I need to edit my conf file for my domain to accomplish that?
- nightfish
- Member | 518
@Cupara The best way is always to point DocumentRoot
to
www
folder (if using Apache web server) – see docs
for reasoning.
There is a solution using .htaccess
in root folder which passes
requests to www/index.php
, but that comes with security issues –
mainly because you would then need to place .htaccess
files into
all non-www subdirectories to explicitly deny access
(Require all denied
or Deny from all
).
- nightfish
- Member | 518
@Cupara As for the original question – I wouldn't personally use
security.admin.users
config in production code. I would probably
write my own authenticator, save hashed passwords in the config file
and have authenticator check password's hash (password_verify).
Or do the same thing, but with password hashes stored in a database (see https://doc.nette.org/…thentication#…
for example implementation).
For the purposes of “Create your first application” it seems sufficient.
- m.brecher
- Generous Backer | 872
@Cupara
is there a way to use .htaccess to restrict access to all folders except www folder
Yes it is, but:
I personally am not the best sample how to build secure web application, because I still use .htaccess for restriction http access to /app directory. This is because I am relatively novice in Nette Framework and all my old pure php projects were secured this way. This way is not the best as @nightfish correctly notices, but on small websites you can use it as a “temporary” solution. The best way is definitely configure DocumentRoot to /www folder.
So this is my “not the best” .htaccess solution:
project directory system:
/app
/Presenters
/Model
/templates
... etc
Bootstrap.php
/config
/log
/temp
/vendor
/www
/css
/js
/photo
index.php
.htaccess
robots.txt
.htaccess
.composer.json
.composer.lock
There are two .htaccess files, first in DocumentRoot, second in /www subdirectory
first .htaccess (in /)
Require all granted
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^localhost$
RewriteRule (.*) /project/www/$1
RewriteCond %{HTTP_HOST} !^localhost$
RewriteRule (.*) /www/$1
Because I do development not on Docker, but on Windows, I have all project on development machine on localhost server. Separate projects are in separate folders. On production server there is always project directly in DocumentRoot – that's why there is different algorithm for development ^localhost$ and production !^localhost$. This code makes internal redirection of all http requests to the /www folder.
This algorithm about himself is “100%” secure and there is no way how to http access any subdirectory in root with one exception /www. BUT there is another security risk than algorithmic. All the website security depends on one single file to be permanently existing in /. If God forbid somebody by mistake deletes this file than big accident may happen! So you may go this way – I am doing this many many years, but be very carefully when manipulate the .htaccess files.
second .htaccess (in /www)
Require all granted
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} !^localhost$
RewriteCond %{HTTPS} !on
RewriteRule .? https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule /\.|^\.(?!well-known/) - [F]
RewriteCond %{HTTP_HOST} ^localhost$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule !\.(pdf|js|ico|gif|jpg|jpeg|png|webp|svg|css)$ /project/index.php [L]
RewriteCond %{HTTP_HOST} !^localhost$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule !\.(pdf|js|ico|gif|jpg|jpeg|png|webp|svg|css)$ index.php [L]
</IfModule>
<IfModule mod_deflate.c>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json application/xml image/svg+xml
</IfModule>
</IfModule>
There are also slight different algorithms for development x production machines. The key code is this:
RewriteRule !\.(pdf|js|ico|gif|jpg|jpeg|png|webp|svg|css)$ index.php [L]
All http requests with exception of static files are internally redirected to index.php and from here to framework. The static files are filtered by file extensions .pdf, .js etc… You may use another static files filtering if you want.
This above two .htaccess solution works perfectly, but use it on small not important projects. And only as temporary solution.
Last edited by m.brecher (2023-12-25 00:58)