Security Policy

Web Development Security Policy

This document outlines how we handle security in relation to web development and client information.

Servers

  • We recommend VPS hosting to clients (currently DigitalOcean and UpCloud) to ensure that websites are not on a shared server with any other companies and have high performance.
  • We recommend clients move their DNS to Cloudflare, to mitigate against DDOS attacks
  • Security patches and packages are automatically installed weekly on client servers
  • All servers that we manage for clients are provisioned with Ploi to make sure they're set up correctly
  • We use Ploi to install and automatically renew Let’s Encrypt SSL certificates
  • Clients are advised to move to a new server every 5 years when their LTS version of Ubuntu stops receiving updates
  • Domains managed by us:
    • Enforce HTTPS via Cloudflare
    • Enable HSTS via Cloudflare with a max-age of 6 months
    • Automatic HTTPS Rewrites
    • We use the latest LTS installation of Ubuntu for new client web servers

Maintenance

  • For clients that have active maintenance contracts, we update Craft and it’s plugins either monthly or quarterly depending on the contract
  • We recommend a maintenance contract to all clients to keep their websites updated both in terms of security and front end performance
  • All sites we actively maintain are backed up regularly to AWS via Ploi or SnapShooter

Passwords

  • Online web applications which store client information are secured with Two Factor Authentication where possible
  • We never share client passwords externally
  • Passwords are stored in 1Password
  • For our own passwords, we use strong, randomly generated passwords via 1Password that are never re-used
  • Passwords are not sent in plain text by email
  • Our password vault is separated into containers. Only the people who need certain passwords are able to access them
  • Users who leave the company have their access to passwords revoked

Working with Freelancers

  • Developers are required to sign an NDA before being given access to any client data
  • Access to servers is restricted to SSH keys
  • Developers are only given access to the site they are actively working on
  • Once a developer is no longer working on a site, their access to the server and repository is revoked

General

  • We use code monitoring tools that point out vulnerabilities in active sites we’re working on
  • We recommend Craft CMS for almost all client projects. In terms of security, here’s what you need to know about how Craft is secured at the code level: https://craftcms.com/knowledge-base/security-faq

Craft-specific Policies

Craft plugins must either be from the safe list below or be reviewed individually. Ideally, plugins installed:

  • Have good documentation
  • Have many (at least 100) active installs
  • Be actively maintained
  • Have a good response time for GitHub issues
  • Have a version number above 1.x
  • Are from one of the companies in our Plugin Developer Safe List

We follow all advisories in the Securing Craft article from Pixel & Tonic:

  • The source folder is kept above the webroot
  • allowAdminChanges are set to false in both staging and production
  • We explicitly set the @web alias for the site
  • We enable all “Purify HTML?” Redactor field settings
  • We use Freeform for all forms, which automatically enables CSRF protection
  • We use the latest major version of PHP on new sites, and upgrade existing sites when they move to new servers
  • File permissions are reviewed and set according to Craft’s installation guide
  • General Configuration settings are reviewed on a per-site basis during development
  • We set applicable security headers during development
  • We change the cpTrigger from the default /admin
  • We remove the X-Powered-By: Craft CMS header
  • Inactive CMS user accounts are disabled or deleted

Plugin Developer Safe List

The companies below have a proven track record in high quality software and have been active in the Craft community for years. We trust their work.

Contact Details

If you find any vulnerabilities in our websites or would like more information about this policy, you can get in contact with us directly through our contact form.

This policy was written with great inspiration from from PutYourLightsOn's Securing Craft articles and SnapShooter's Security Policies.