Security

Securing Orchestra Platform

Application Key

The first thing you should do before running Orchestra Platform is set your application key to a random string. If you download Orchestra Platform via Composer, this key has probably already been set for you during composer install. You can also rerun this command:

php artisan key:generate

Typically, this string should be 32 characters long. The key can be set in the .env environment file.

❗️

If the application key is not set, your user sessions and other encrypted data will not be secure!

Environment Configuration

First of all, ensure that APP_DEBUG is only set to true on local development machine, for production environment you should set this to false. This would avoid the application from displaying the full error stack trace if there any error to your end user.

You might also consider using production as the default environment name for production code. This would allow Orchestra Platform to run some pre-define optimization during each deployment via:

php artisan orchestra:assemble

Use Better Session Driver

Orchestra Platform recommends using either Redis, Memcached or APC session driver (or at least database driver). This help making sure we can handle session request without any interruption especially when for handling CSRF or Login Throttling.

📘

You can edit the driver from .env file.

Disallow access to Blade for themes

Apache

Configuration is included in the default public/.htaccess:

# Secure Front Themes...

RewriteRule ^themes/.*\.(blade.php|php)$ - [F,L,NC]

Nginx

You can add the following configuration:

location ~ ^/themes/(.*)\.php$ {
	deny all;
}