Skip to content

Security: madness-tech/formna

Security

SECURITY.md

Security Policy

FORMNA takes security seriously. We appreciate the security research community's efforts to help keep our users safe.

πŸ”’ Supported Versions

Security updates are provided for the following versions:

Version Supported
1.x βœ… Current release
< 1.0 ❌ Not supported

Recommendation: Always run the latest stable version for the best security and features.


🚨 Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in FORMNA, please report it responsibly:

How to Report

πŸ“§ Email: hello@madness.tech

Please include:

  1. Description β€” Clear explanation of the vulnerability
  2. Impact β€” Potential security impact and severity
  3. Reproduction β€” Step-by-step instructions to reproduce
  4. Environment β€” PHP version, database, OS, web server
  5. Suggested fix β€” If you have one (optional)
  6. Your contact info β€” For follow-up questions

What to Expect

  • Acknowledgment β€” We'll respond within 48 hours
  • Updates β€” We'll keep you informed of our progress
  • Resolution β€” We aim to fix critical issues within 7 days
  • Credit β€” We'll credit you in release notes (if you wish)
  • Public disclosure β€” After a fix is released, typically within 30 days

Confidentiality

Please:

  • Do not disclose the vulnerability publicly until we've released a fix
  • Do not exploit the vulnerability beyond what's necessary to demonstrate it
  • Give us reasonable time to address the issue before disclosure

πŸ›‘οΈ Security Best Practices

When deploying FORMNA, follow these security guidelines:

1. Environment Configuration

βœ… Use strong encryption keys

php bin/formna generate-key
# Copy the generated 32-character key to .env as APP_KEY

βœ… Set production environment

APP_ENV=production

βœ… Enable secure sessions over HTTPS

SESSION_SECURE=true    # Only if using HTTPS
SESSION_HTTPONLY=true
SESSION_SAMESITE=Lax

βœ… Configure trusted proxies (if behind a proxy/load balancer)

APP_TRUSTED_PROXIES=127.0.0.1,173.245.48.0

2. Database Security

βœ… Use strong database credentials

  • Avoid default usernames like 'root' or 'admin'
  • Use complex passwords (20+ characters)
  • Grant only necessary privileges

βœ… Restrict database access

  • Bind MySQL to localhost if not using remote connections
  • Use firewall rules to limit database access

3. File Permissions

Set appropriate file permissions on your server:

# Application files (read-only for web server)
chmod -R 755 /path/to/formna
chmod -R 644 /path/to/formna/public/*.php

# Writable directories
chmod -R 775 /path/to/formna/storage
chmod -R 775 /path/to/formna/public/uploads

# Protect sensitive files
chmod 600 /path/to/formna/.env

4. Web Server Configuration

βœ… Point document root to public/ directory

  • Never expose the application root to the web
  • Only public/ should be web-accessible

βœ… Disable directory listing

# Apache (.htaccess in public/)
Options -Indexes
# Nginx
autoindex off;

βœ… Block access to sensitive files

# Nginx example
location ~ /\. {
    deny all;
}

location ~ \.env {
    deny all;
}

5. HTTPS/TLS

βœ… Use HTTPS in production

  • Obtain a free SSL certificate from Let's Encrypt
  • Redirect all HTTP traffic to HTTPS
  • Use HSTS headers

βœ… Use secure session cookies

SESSION_SECURE=true  # Cookies only sent over HTTPS

6. Updates & Patches

βœ… Stay updated

  • Monitor FORMNA releases
  • Subscribe to security announcements
  • Test updates in a staging environment first

βœ… Keep dependencies current

composer update
npm update

7. Backups

βœ… Regular backups

  • Database backups (daily or more frequent)
  • Uploaded files (storage/uploads/, public/uploads/)
  • Configuration files (.env)
  • Test restoration procedures

8. Monitoring

βœ… Review logs regularly

  • Check storage/logs/ for suspicious activity
  • Monitor audit log data through the admin panel for unauthorized access attempts
  • Set up log rotation to prevent disk space issues

βœ… Monitor failed login attempts

  • FORMNA automatically rate-limits login attempts
  • Review patterns in audit logs

9. User Management

βœ… Strong password policies

  • Enforce minimum password requirements (configured in system settings)
  • Enable MFA/TOTP for admin accounts
  • Regularly review user accounts and remove inactive users

βœ… Principle of least privilege

  • Grant users only the permissions they need
  • Use Reviewer role instead of Admin when full access isn't required
  • Regularly audit user permissions

10. Rate Limiting

FORMNA includes built-in rate limiting for:

  • Login attempts (5 per 15 minutes per IP)
  • API endpoints
  • Password reset requests

Rate limits are configurable and logged.


πŸ” Security Features

FORMNA includes several security features out of the box:

Authentication & Authorization

  • βœ… Secure password hashing (bcrypt)
  • βœ… Multi-factor authentication (TOTP)
  • βœ… Email verification for new accounts
  • βœ… Rate limiting on authentication endpoints
  • βœ… Recovery codes for MFA backup
  • βœ… Fine-grained role-based access control (RBAC)

Data Protection

  • βœ… Encryption of sensitive data at rest
  • βœ… Prepared statements (SQL injection protection)
  • βœ… CSRF protection on all forms
  • βœ… XSS protection via output escaping
  • βœ… File upload validation and sanitization

Audit & Compliance

  • βœ… Comprehensive audit logging
  • βœ… IP address tracking
  • βœ… User action history
  • βœ… Configurable data retention policies

Session Security

  • βœ… Secure session management
  • βœ… Session regeneration on login
  • βœ… Configurable session timeouts
  • βœ… HttpOnly and Secure cookie flags

πŸ” Known Issues

Current known security considerations:

None at this time

We'll list any known security issues here until they're resolved. Check back regularly or watch the repository for updates.


πŸ“‹ Security Checklist

Use this checklist when deploying FORMNA:

  • Generated strong APP_KEY
  • Set APP_ENV=production
  • Using HTTPS with valid SSL certificate
  • SESSION_SECURE=true (if using HTTPS)
  • Strong database credentials
  • File permissions properly set
  • Web server document root points to public/
  • Directory listing disabled
  • .env file not web-accessible
  • Firewall configured
  • Regular backups scheduled
  • Log monitoring in place
  • Dependencies up to date
  • MFA enabled for admin accounts

πŸ“š Resources


πŸ“ž Contact

For security-related questions or concerns:

πŸ“§ Email: hello@madness.tech

For non-security issues, use GitHub Issues.


Thank you for helping keep FORMNA and our users safe! πŸ™

There aren't any published security advisories