sysPass has some security mechanisms to mitigate some kind of events and actions that could compromise the application security. Among them are:
- Security token generation for sending forms
- Request type checking for every form
- Unwanted characters removing on received data
- Type casting on received data
- Hash generation for export and backup file names.
- PKI encryption is used for sending passwords within forms
Though these actions, it’s needed to secure the webserver components and Though these actions, it’s needed to secure the webserver components and communications:
- Use of HTTPS
- Limit access to the “config” and “backup” directories
In order to limit the access to the directories through Apache, “.htaccess” files could be used within the directories or by modifying the site configuration:
# Apache 2.2 <Directory ~ "/var/www/html/sysPass/(config|backup)"> <Limit GET HEAD POST> Order Deny,Allow Deny from all </Limit> </Directory> # Apache 2.4 <Directory ~ "/var/www/html/sysPass/(config|backup)"> Require all denied </Directory>
It’s important that the “config” directory is not accessible from the web service, because it could reveal important information.