Security
Securing Orchestra Platform
Application Key
The first thing you should do before running Orchestra Platform is set your application key to a random string. If you download Orchestra Platform via Composer, this key has probably already been set for you during composer install. You can also rerun this command:
php artisan key:generate
Typically, this string should be 32 characters long. The key can be set in the .env environment file.
If the application key is not set, your user sessions and other encrypted data will not be secure!
Environment Configuration
First of all, ensure that APP_DEBUG is only set to true on local development machine, for production environment you should set this to false. This would avoid the application from displaying the full error stack trace if there any error to your end user.
You might also consider using production as the default environment name for production code. This would allow Orchestra Platform to run some pre-define optimization during each deployment via:
php artisan orchestra:assemble
Use Better Session Driver
Orchestra Platform recommends using either Redis, Memcached or APC session driver (or at least database driver). This help making sure we can handle session request without any interruption especially when for handling CSRF or Login Throttling.
You can edit the driver from
.envfile.
Disallow access to Blade for themes
Apache
Configuration is included in the default public/.htaccess:
# Secure Front Themes...
RewriteRule ^themes/.*\.(blade.php|php)$ - [F,L,NC]
Nginx
You can add the following configuration:
location ~ ^/themes/(.*)\.php$ {
deny all;
}
Updated less than a minute ago