Skip to content

Secure RosarioSIS

Jump to bottom Edit New page
François Jacquet edited this page Oct 20, 2019 · 11 revisions

This article aims at giving security hints for RosarioSIS.

PostgreSQL database

Instead of creating the RosarioSIS database with the default postgres user, create a specific user. So in case your RosarioSIS user password is discovered, the whole PostgreSQL server is not compromised.

If you have successfully installed RosarioSIS on your production server:

Password

Change the default usernames and passwords (admin, teacher, student, parent) and adopt a password policy. You can set the minimum Password Strength from within RosarioSIS, School > Configuration.

php.ini

Here are some php.ini directives that can be modified for session security:

; session.use_strict_mode specifies whether the module will use strict session id mode.
; If this mode is enabled, the module does not accept uninitialized session ID.
; If uninitialized session ID is sent from browser, new session ID is sent to browser.
; Applications are protected from session fixation via session adoption with strict mode.
; Defaults to 0 (disabled).
; http://php.net/manual/en/session.configuration.php#ini.session.use-strict-mode
session.use_strict_mode = 1

; http://php.net/session.hash-function
session.hash_function = sha256

Resources

Here is a good set of Apache rules to block attacks: 6G Blacklist 2019

WebSecTools, protect your website.

Mozilla Observatory, test your server security.

Add a custom footer
Add a custom sidebar
Clone this wiki locally