Security¶
sysPass has some security mechanisms to mitigate some kind of events and actions that could compromise the application security. Among them are:
- Security token generation for sending forms
- Removing of unwanted characters from received data
- Type casting of received data
- Hash generation for export and backup files name
- RSA (PKI) encryption is used for sending passwords within forms
Although these actions, it’s needed to secure the web server components and communications by:
- Using HTTPS
- Limiting access to ‘app/config’ and ‘app/backup’ directories
In order to limit the access to the directories through Apache, ‘.htaccess’ files could be used within the directories or by modifying the site configuration:
# Apache 2.4 (after 2.4.16)
<Directory "/var/www/html/sysPass">
Options -Indexes -FollowSymLinks -Includes -ExecCGI
<RequireAny>
Require expr "%{REQUEST_URI} =~ m#.*/index\.php(\?r=)?#"
Require expr "%{REQUEST_URI} =~ m#.*/api\.php$#"
Require expr "%{REQUEST_URI} =~ m#^$#"
</RequireAny>
</Directory>
<Directory "/var/www/html/sysPass/public">
Require all granted
</Directory>
# Apache 2.4 (before 2.4.16)
<Directory "/var/www/html/sysPass">
Options -Indexes -FollowSymLinks -Includes -ExecCGI
<RequireAny>
Require expr %{REQUEST_URI} =~ m#.*/index\.php(\?r=)?#
Require expr %{REQUEST_URI} =~ m#.*/api\.php$#
Require expr %{REQUEST_URI} =~ m#^/?$#
</RequireAny>
</Directory>
<Directory "/var/www/html/sysPass/public">
Require all granted
</Directory>
Danger
‘app/config’ directory shouldn’t be accessible through the web server, it could reveal private data.