{"_id":"576ecb3952f96619007cfba5","category":{"_id":"576ec32f52f96619007cfb9a","__v":0,"project":"576ebdb79c84a31900958aba","version":"576ebdb79c84a31900958abd","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2016-06-25T17:45:19.203Z","from_sync":false,"order":2,"slug":"support","title":"Getting Started"},"__v":11,"parentDoc":null,"project":"576ebdb79c84a31900958aba","user":"576ebd239c84a31900958ab9","version":{"_id":"576ebdb79c84a31900958abd","project":"576ebdb79c84a31900958aba","__v":10,"createdAt":"2016-06-25T17:21:59.854Z","releaseDate":"2016-06-25T17:21:59.854Z","categories":["576ebdb79c84a31900958abe","576ebfc59c84a31900958ac4","576ec32f52f96619007cfb9a","576ec7b7560eef0e00cd3096","576ed4249c84a31900958add","576ed429560eef0e00cd30a3","576ed43a52f96619007cfbb5","576ed44d5a8c72170082b794","577212f20da40019004f0816","57725c7e0a6d610e00de9e4c"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"3.3.0","version":"3.3"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-06-25T18:19:37.619Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":2,"body":"[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Application Key\"\n}\n[/block]\nThe first thing you should do before running Orchestra Platform is set your application key to a random string. If you download Orchestra Platform via Composer, this key has probably already been set for you during composer install. You can also rerun this command:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"php artisan key:generate\",\n      \"language\": \"text\",\n      \"name\": \"Terminal\"\n    }\n  ]\n}\n[/block]\nTypically, this string should be 32 characters long. The key can be set in the `.env` environment file.\n[block:callout]\n{\n  \"type\": \"danger\",\n  \"body\": \"If the application key is not set, your user sessions and other encrypted data will not be secure!\"\n}\n[/block]\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Environment Configuration\"\n}\n[/block]\nFirst of all, ensure that `APP_DEBUG` is only set to `true` on local development machine, for production environment you should set this to `false`. This would avoid the application from displaying the full error stack trace if there any error to your end user.\n\nYou might also consider using `production` as the default environment name for production code. This would allow Orchestra Platform to run some pre-define optimization during each deployment via:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"php artisan orchestra:assemble\",\n      \"language\": \"shell\",\n      \"name\": \"Terminal\"\n    }\n  ]\n}\n[/block]\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Use Better Session Driver\"\n}\n[/block]\nOrchestra Platform recommends using either Redis, Memcached or APC session driver (or at least database driver). This help making sure we can handle session request without any interruption especially when for handling CSRF or Login Throttling.\n[block:callout]\n{\n  \"type\": \"info\",\n  \"body\": \"You can edit the driver from `.env` file.\"\n}\n[/block]\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Disallow access to Blade for themes\"\n}\n[/block]\n### Apache\n\nConfiguration is included in the default `public/.htaccess`:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"# Secure Front Themes...\\n\\nRewriteRule ^themes/.*\\\\.(blade.php|php)$ - [F,L,NC]\",\n      \"language\": \"shell\",\n      \"name\": \".htaccess\"\n    }\n  ]\n}\n[/block]\n### Nginx\n\nYou can add the following configuration:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"location ~ ^/themes/(.*)\\\\.php$ {\\n\\tdeny all;\\n}\",\n      \"language\": \"shell\",\n      \"name\": \"nginx.conf\"\n    }\n  ]\n}\n[/block]","excerpt":"Securing Orchestra Platform","slug":"security","type":"basic","title":"Security"}

Security

Securing Orchestra Platform

[block:api-header] { "type": "basic", "title": "Application Key" } [/block] The first thing you should do before running Orchestra Platform is set your application key to a random string. If you download Orchestra Platform via Composer, this key has probably already been set for you during composer install. You can also rerun this command: [block:code] { "codes": [ { "code": "php artisan key:generate", "language": "text", "name": "Terminal" } ] } [/block] Typically, this string should be 32 characters long. The key can be set in the `.env` environment file. [block:callout] { "type": "danger", "body": "If the application key is not set, your user sessions and other encrypted data will not be secure!" } [/block] [block:api-header] { "type": "basic", "title": "Environment Configuration" } [/block] First of all, ensure that `APP_DEBUG` is only set to `true` on local development machine, for production environment you should set this to `false`. This would avoid the application from displaying the full error stack trace if there any error to your end user. You might also consider using `production` as the default environment name for production code. This would allow Orchestra Platform to run some pre-define optimization during each deployment via: [block:code] { "codes": [ { "code": "php artisan orchestra:assemble", "language": "shell", "name": "Terminal" } ] } [/block] [block:api-header] { "type": "basic", "title": "Use Better Session Driver" } [/block] Orchestra Platform recommends using either Redis, Memcached or APC session driver (or at least database driver). This help making sure we can handle session request without any interruption especially when for handling CSRF or Login Throttling. [block:callout] { "type": "info", "body": "You can edit the driver from `.env` file." } [/block] [block:api-header] { "type": "basic", "title": "Disallow access to Blade for themes" } [/block] ### Apache Configuration is included in the default `public/.htaccess`: [block:code] { "codes": [ { "code": "# Secure Front Themes...\n\nRewriteRule ^themes/.*\\.(blade.php|php)$ - [F,L,NC]", "language": "shell", "name": ".htaccess" } ] } [/block] ### Nginx You can add the following configuration: [block:code] { "codes": [ { "code": "location ~ ^/themes/(.*)\\.php$ {\n\tdeny all;\n}", "language": "shell", "name": "nginx.conf" } ] } [/block]