Security Best Practices

Security Best Practices

Security Overview

Flatboard 5 includes multiple security layers:

• CSRF Protection - Prevents cross-site request forgery
• Rate Limiting - Prevents abuse and brute force attacks
• Input Validation - Sanitizes all user input
• Permission System - Granular access control
• Secure Sessions - Encrypted session management
• File Upload Security - Validates and restricts uploads

CSRF Protection

What is CSRF?

Cross-Site Request Forgery (CSRF) attacks trick users into performing actions they didn't intend.

How Flatboard 5 Protects

• CSRF Tokens - All forms include CSRF tokens
• Token Validation - Tokens are validated on submission
• Automatic Handling - Protection is automatic, no configuration needed

Best Practices

• Never Disable CSRF - Always keep CSRF protection enabled
• Use HTTPS - Encrypt connections to protect tokens
• Validate Tokens - Always validate in custom code

Rate Limiting

Purpose

Rate limiting prevents:

• Brute force attacks
• Spam and abuse
• Resource exhaustion
• DDoS attacks

Configuration

Access: Admin Panel > Settings > Security

Configure limits for:

• Login Attempts - Max attempts per IP (default: 5)
• Registration Attempts - Max registrations per IP (default: 3)
• Password Reset - Max requests per hour (default: 3)
• Post Creation - Max posts per time period
• API Requests - Max API calls per key

Rate Limit Headers

Flatboard 5 sends rate limit headers:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640995200

Input Validation

Sanitization

All user input is sanitized:

• HTML Sanitization - Removes dangerous HTML
• SQL Injection Prevention - Parameterized queries (SQLite)
• XSS Prevention - Escapes output
• Path Traversal Prevention - Validates file paths

Validation Rules

• Email - Valid email format
• URL - Valid URL format
• Username - Alphanumeric and allowed characters
• Password - Meets strength requirements
• File Uploads - Valid file types and sizes

Permission System

Principle of Least Privilege

Grant minimum necessary permissions:

1. Default Deny - Deny by default
2. Explicit Allow - Explicitly grant permissions
3. Regular Review - Review permissions regularly
4. Document Changes - Keep permission change log

Permission Levels

• Guest - View only
• Member - Post and interact
• Moderator - Moderate content
• Admin - Full system access

Best Practices

• Separate Roles - Use different accounts for admin/moderator
• Limit Admin Count - Keep admin accounts minimal
• Review Regularly - Audit permissions periodically
• Use Groups - Manage via groups, not individual users

Password Security

Requirements

Configure strong password requirements:

• Minimum Length - At least 8 characters (recommended: 12+)
• Complexity - Require uppercase, numbers, special characters
• No Common Passwords - Block common passwords
• Password History - Prevent password reuse

Password Hashing

Flatboard 5 uses:

• bcrypt - Secure password hashing
• Salt - Unique salt per password
• Cost Factor - Configurable bcrypt cost

Two-Factor Authentication (2FA)

Enable 2FA for additional security:

1. Enable in Settings - Admin Panel > Settings > Security
2. User Setup - Users configure in profile
3. Backup Codes - Generate backup codes
4. Recovery - Account recovery options

File Upload Security

Restrictions

• File Types - Only allowed MIME types
• File Size - Maximum file size limits
• File Validation - Validates actual file content
• Virus Scanning - Optional virus scanning

Configuration

// Allowed file types
$allowedTypes = ['image/jpeg', 'image/png', 'application/pdf'];

// Maximum file size (2MB)
$maxSize = 2 * 1024 * 1024;

// Upload directory
$uploadDir = 'uploads/attachments/';

Best Practices

• Whitelist Types - Only allow necessary file types
• Scan Uploads - Scan for malware
• Isolate Uploads - Store outside web root when possible
• Validate Content - Check actual file content, not just extension

Session Security

Configuration

• Secure Cookies - Use HTTPS-only cookies
• HttpOnly - Prevent JavaScript access
• SameSite - CSRF protection
• Session Timeout - Automatic logout after inactivity

Session Timeouts & Fingerprinting

Flatboard 5 enforces layered session protection via App\Core\Session:

Session fingerprinting — on each request, a fingerprint is computed as SHA-256(User-Agent + Accept-Language). If the fingerprint changes mid-session, the session is immediately invalidated to prevent hijacking. IP validation is also performed by default and can be toggled for CDN/mobile environments:

Session::disableIpValidation();   // e.g., for users behind a CDN or mobile network
Session::enableIpValidation();    // default — re-enable IP binding

Advanced Session Methods

Available for plugin developers:

// Get and immediately remove a value (useful for one-time tokens)
$value = Session::pull('key', $default);

// Atomically increment/decrement a session counter
Session::increment('login_attempts', 1);
Session::decrement('credits', 1);

// Set a flash value visible only on the NEXT request
Session::flashNext('success', 'Saved!');
$message = Session::getFlash('success');

// Get only user-scoped session data (excludes internal _security, _remember_me, etc.)
$userData = Session::allUser();

// Session metadata for debugging
$meta = Session::metadata();
// Returns: id, started_at, last_activity, fingerprint, age, idle_time

// Migrate session data to a new ID without destroying the old one
Session::migrate();

Best Practices

• Use HTTPS - Always use HTTPS in production
• Regenerate IDs - Regenerate session ID on login
• Short Timeout - Set reasonable session timeout
• Secure Storage - Store sessions securely

Server Hardening

File Permissions

Set correct permissions:

# Directories
chmod 755 app/ themes/ plugins/ languages/
chmod 750 stockage/ uploads/

# Files
chmod 644 *.php
chmod 600 stockage/json/config.json

Directory Protection

Protect sensitive directories:

# .htaccess in stockage/
<FilesMatch "\.(json|log)$">
    Deny from all
</FilesMatch>

PHP Configuration

Secure PHP settings:

; Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system

; Hide PHP version
expose_php = Off

; Error reporting (production)
display_errors = Off
log_errors = On

Security Headers

Recommended Headers

Add security headers:

# Apache .htaccess
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin-when-cross-origin"

# Nginx configuration
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";

Regular Security Maintenance

Checklist

• [ ] Update Regularly - Keep Flatboard 5 updated
• [ ] Update Plugins - Update plugins regularly
• [ ] Review Logs - Check error and access logs
• [ ] Monitor Activity - Watch for suspicious activity
• [ ] Backup Regularly - Maintain regular backups
• [ ] Review Permissions - Audit user permissions
• [ ] Test Security - Perform security audits

Security Audits

Regular security audits:

1. Review Users - Check for suspicious accounts
2. Check Permissions - Verify permission settings
3. Review Logs - Analyze error and access logs
4. Test Updates - Test updates in staging
5. Monitor Performance - Watch for unusual activity

Incident Response

If Compromised

1. Isolate - Take site offline if necessary
2. Assess - Determine extent of compromise
3. Contain - Prevent further damage
4. Remediate - Fix vulnerabilities
5. Notify - Inform users if data exposed
6. Document - Document incident and response

Prevention

• Regular Backups - Maintain backups
• Monitor Logs - Watch for anomalies
• Update Promptly - Apply security updates
• Limit Access - Minimize admin access
• Use HTTPS - Encrypt all connections

Resources

• Configuration Guide - Security settings
• Users and Groups - Permission management
• Troubleshooting - Security issues
• Backup Guide - Backup and recovery

Last updated: February 23, 2026