This document outlines security considerations and best practices for deploying and maintaining AngelAdmin2.

• Security Features
• Production Security Checklist
• Authentication & Authorization
• Data Protection
• Common Vulnerabilities
• Security Monitoring
• Incident Response

AngelAdmin2 includes several built-in security features:

1. Traditional Authentication: Username/password with session management
2. Hash-based Authentication: Secure token-based access for members
3. Role-based Access Control: Granular permissions system

• Password hashing using PHP's secure algorithms
• CSRF protection for forms
• SQL injection prevention through ORM
• XSS protection via output escaping
• Secure session configuration

• Configurable session security settings
• HTTP-only cookies
• Secure cookie flags for HTTPS

• Disable Debug Mode: Set DEBUG=false in production
• Secure Salt: Use a strong, unique SECURITY_SALT
• Environment Variables: Store sensitive data in environment variables
• Remove Dev Dependencies: Run composer install --no-dev

• HTTPS Only: Force HTTPS for all connections
• Security Headers: Implement proper HTTP security headers
• Hide Server Info: Disable server version disclosure
• Directory Browsing: Disable directory listing

Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Content-Security-Policy "default-src 'self'"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header Content-Security-Policy "default-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin";

• Proper Permissions: Set restrictive file permissions
• Writable Directories: Only make necessary directories writable
• Remove Sensitive Files: Remove .env.example, test files in production

# Application files (read-only)
find /path/to/angeladmin2 -type f -exec chmod 644 {} \;
find /path/to/angeladmin2 -type d -exec chmod 755 {} \;

# Writable directories
chmod 755 tmp/ logs/ webroot/uploads/

# Configuration files (more restrictive)
chmod 600 config/app_local.php .env

• Dedicated User: Create a specific database user for the application
• Minimal Privileges: Grant only necessary database permissions
• Connection Security: Use SSL for database connections if possible
• Regular Backups: Implement automated, secure backups

-- Create dedicated user with minimal privileges
CREATE USER 'angeladmin2_prod'@'localhost' IDENTIFIED BY 'strong_random_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON angeladmin2.* TO 'angeladmin2_prod'@'localhost';
FLUSH PRIVILEGES;

AngelAdmin2 uses CakePHP's built-in password hashing:

• Passwords are hashed using password_hash() with PASSWORD_DEFAULT
• No plain text passwords are stored
• Session tokens are regenerated on login

For member access without passwords:

• Uses SHA-1 hashes for member identification
• Secure cookie implementation with proper flags
• 24-hour expiration for hash-based sessions
• Validation against database-stored hashes

Configure secure sessions in config/app.php:

'Session' => [
    'timeout' => 30240, // 21 days in minutes
    'cookieTimeout' => 1814400, // 21 days in seconds
    'ini' => [
        'session.cookie_lifetime' => 1814400,
        'session.cookie_secure' => true, // HTTPS only
        'session.cookie_httponly' => true, // Prevent XSS
        'session.cookie_samesite' => 'Lax',
        'session.use_strict_mode' => true,
        'session.use_only_cookies' => true,
    ],
],

AngelAdmin2 handles sensitive member data:

• Personal information (names, addresses, dates of birth)
• Contact details (email, phone numbers)
• Financial information (billing, payments)
• Photos and documents

• Implement data retention policies
• Provide data export functionality
• Enable data deletion capabilities
• Maintain audit logs for data access
• Obtain proper consent for data processing

// Example validation for image uploads
'photo' => [
    'upload' => [
        'rule' => ['uploadedFile', [
            'types' => ['image/jpeg', 'image/png'],
            'maxSize' => '2MB'
        ]],
        'message' => 'Invalid file upload'
    ]
]

AngelAdmin2 uses CakePHP's ORM which provides automatic protection:

// Safe: Uses parameterized queries
$members = $this->Members->find()
    ->where(['active' => 1])
    ->where(['team_id' => $teamId]);

// Avoid: Raw SQL without proper escaping
// $query = "SELECT * FROM members WHERE team_id = " . $teamId; // DON'T DO THIS

// Safe: Automatic escaping in templates
echo h($member->first_name);

// Safe: Using Html helper
echo $this->Html->link($member->name, ['action' => 'view', $member->id]);

// Raw output only when necessary and trusted
echo $this->Text->autoParagraph($content); // Only for admin content

// Enable CSRF protection in forms
$this->loadComponent('FormProtection', [
    'unlockedFields' => ['dynamic_field']
]);

// Validate file types and sizes
$validator
    ->add('photo', 'file', [
        'rule' => ['mimeType', ['image/jpeg', 'image/png']],
        'message' => 'Only JPEG and PNG images allowed'
    ])
    ->add('photo', 'filesize', [
        'rule' => ['fileSize', '<=', '2MB'],
        'message' => 'File too large'
    ]);

Configure security logging in config/app.php:

'Log' => [
    'security' => [
        'className' => 'Cake\Log\Engine\FileLog',
        'path' => LOGS,
        'file' => 'security',
        'scopes' => ['security'],
        'levels' => ['warning', 'error', 'critical', 'alert', 'emergency'],
    ],
]

• Failed login attempts
• Unusual access patterns
• Large data exports
• Administrative actions
• File upload attempts

// Log security events
use Cake\Log\Log;

// Failed login attempt
Log::write('warning', 'Failed login attempt for: ' . $username, ['scope' => ['security']]);

// Successful admin action
Log::write('info', 'User ' . $user->username . ' deleted member ID: ' . $memberId, ['scope' => ['security']]);

• Update Dependencies: Regular composer update
• Review Logs: Monitor security and error logs
• Backup Verification: Test backup restoration
• Access Review: Audit user accounts and permissions
• Vulnerability Scanning: Use tools like composer audit

1. Immediate Response

   • Isolate affected systems
   • Preserve evidence
   • Document the incident
   • Notify stakeholders

2. Investigation

   • Analyze logs
   • Determine scope of compromise
   • Identify attack vectors
   • Assess data impact

3. Recovery

   • Patch vulnerabilities
   • Restore from clean backups
   • Reset compromised credentials
   • Update security measures

4. Post-Incident

   • Document lessons learned
   • Update security procedures
   • Implement additional monitoring
   • Communicate with affected parties

Maintain a list of emergency contacts:

• System administrators
• Database administrators
• Security team
• Legal counsel (for data breaches)
• Key stakeholders

• Composer Audit: composer audit for dependency vulnerabilities
• PHPStan: Static analysis for code quality
• SonarQube: Code security analysis
• OWASP ZAP: Web application security testing

• OWASP Top 10
• CakePHP Security Guidelines
• PHP Security Best Practices
• NIST Cybersecurity Framework

Please do not report security vulnerabilities in public GitHub issues.

To report security vulnerabilities:

1. Email: [email protected] (replace with actual contact)
2. Include detailed description
3. Provide steps to reproduce
4. Allow reasonable time for response

We will:

• Acknowledge receipt within 48 hours
• Provide regular updates on progress
• Credit reporters (unless requested otherwise)
• Coordinate disclosure timing