-
Notifications
You must be signed in to change notification settings - Fork 348
Secure RosarioSIS
This article aims at giving security hints for RosarioSIS.
Instead of creating the RosarioSIS database with the default postgres user, create a specific user. So in case your RosarioSIS user password is discovered, the whole PostgreSQL server is not compromised.
If you have successfully installed RosarioSIS on your production server:
Change the default usernames and passwords (admin, teacher, student, parent) and adopt a password policy. You can set the minimum Password Strength from within RosarioSIS, School > Configuration.
Here are some php.ini directives that can be modified for session security:
; session.use_strict_mode specifies whether the module will use strict session id mode. ; If this mode is enabled, the module does not accept uninitialized session ID. ; If uninitialized session ID is sent from browser, new session ID is sent to browser. ; Applications are protected from session fixation via session adoption with strict mode. ; Defaults to 0 (disabled). ; http://php.net/manual/en/session.configuration.php#ini.session.use-strict-mode session.use_strict_mode = 1 ; http://php.net/session.hash-function session.hash_function = sha256
Here is a good set of Apache rules to block attacks: 6G Blacklist 2019
WebSecTools, protect your website.
Mozilla Observatory, test your server security.