FORMNA takes security seriously. We appreciate the security research community's efforts to help keep our users safe.
Security updates are provided for the following versions:
| Version | Supported |
|---|---|
| 1.x | β Current release |
| < 1.0 | β Not supported |
Recommendation: Always run the latest stable version for the best security and features.
Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in FORMNA, please report it responsibly:
π§ Email: hello@madness.tech
Please include:
- Description β Clear explanation of the vulnerability
- Impact β Potential security impact and severity
- Reproduction β Step-by-step instructions to reproduce
- Environment β PHP version, database, OS, web server
- Suggested fix β If you have one (optional)
- Your contact info β For follow-up questions
- Acknowledgment β We'll respond within 48 hours
- Updates β We'll keep you informed of our progress
- Resolution β We aim to fix critical issues within 7 days
- Credit β We'll credit you in release notes (if you wish)
- Public disclosure β After a fix is released, typically within 30 days
Please:
- Do not disclose the vulnerability publicly until we've released a fix
- Do not exploit the vulnerability beyond what's necessary to demonstrate it
- Give us reasonable time to address the issue before disclosure
When deploying FORMNA, follow these security guidelines:
β Use strong encryption keys
php bin/formna generate-key
# Copy the generated 32-character key to .env as APP_KEYβ Set production environment
APP_ENV=productionβ Enable secure sessions over HTTPS
SESSION_SECURE=true # Only if using HTTPS
SESSION_HTTPONLY=true
SESSION_SAMESITE=Laxβ Configure trusted proxies (if behind a proxy/load balancer)
APP_TRUSTED_PROXIES=127.0.0.1,173.245.48.0β Use strong database credentials
- Avoid default usernames like 'root' or 'admin'
- Use complex passwords (20+ characters)
- Grant only necessary privileges
β Restrict database access
- Bind MySQL to localhost if not using remote connections
- Use firewall rules to limit database access
Set appropriate file permissions on your server:
# Application files (read-only for web server)
chmod -R 755 /path/to/formna
chmod -R 644 /path/to/formna/public/*.php
# Writable directories
chmod -R 775 /path/to/formna/storage
chmod -R 775 /path/to/formna/public/uploads
# Protect sensitive files
chmod 600 /path/to/formna/.envβ Point document root to public/ directory
- Never expose the application root to the web
- Only
public/should be web-accessible
β Disable directory listing
# Apache (.htaccess in public/)
Options -Indexes# Nginx
autoindex off;β Block access to sensitive files
# Nginx example
location ~ /\. {
deny all;
}
location ~ \.env {
deny all;
}β Use HTTPS in production
- Obtain a free SSL certificate from Let's Encrypt
- Redirect all HTTP traffic to HTTPS
- Use HSTS headers
β Use secure session cookies
SESSION_SECURE=true # Cookies only sent over HTTPSβ Stay updated
- Monitor FORMNA releases
- Subscribe to security announcements
- Test updates in a staging environment first
β Keep dependencies current
composer update
npm updateβ Regular backups
- Database backups (daily or more frequent)
- Uploaded files (
storage/uploads/,public/uploads/) - Configuration files (
.env) - Test restoration procedures
β Review logs regularly
- Check
storage/logs/for suspicious activity - Monitor audit log data through the admin panel for unauthorized access attempts
- Set up log rotation to prevent disk space issues
β Monitor failed login attempts
- FORMNA automatically rate-limits login attempts
- Review patterns in audit logs
β Strong password policies
- Enforce minimum password requirements (configured in system settings)
- Enable MFA/TOTP for admin accounts
- Regularly review user accounts and remove inactive users
β Principle of least privilege
- Grant users only the permissions they need
- Use Reviewer role instead of Admin when full access isn't required
- Regularly audit user permissions
FORMNA includes built-in rate limiting for:
- Login attempts (5 per 15 minutes per IP)
- API endpoints
- Password reset requests
Rate limits are configurable and logged.
FORMNA includes several security features out of the box:
- β Secure password hashing (bcrypt)
- β Multi-factor authentication (TOTP)
- β Email verification for new accounts
- β Rate limiting on authentication endpoints
- β Recovery codes for MFA backup
- β Fine-grained role-based access control (RBAC)
- β Encryption of sensitive data at rest
- β Prepared statements (SQL injection protection)
- β CSRF protection on all forms
- β XSS protection via output escaping
- β File upload validation and sanitization
- β Comprehensive audit logging
- β IP address tracking
- β User action history
- β Configurable data retention policies
- β Secure session management
- β Session regeneration on login
- β Configurable session timeouts
- β HttpOnly and Secure cookie flags
Current known security considerations:
We'll list any known security issues here until they're resolved. Check back regularly or watch the repository for updates.
Use this checklist when deploying FORMNA:
- Generated strong APP_KEY
- Set APP_ENV=production
- Using HTTPS with valid SSL certificate
- SESSION_SECURE=true (if using HTTPS)
- Strong database credentials
- File permissions properly set
- Web server document root points to public/
- Directory listing disabled
- .env file not web-accessible
- Firewall configured
- Regular backups scheduled
- Log monitoring in place
- Dependencies up to date
- MFA enabled for admin accounts
For security-related questions or concerns:
π§ Email: hello@madness.tech
For non-security issues, use GitHub Issues.
Thank you for helping keep FORMNA and our users safe! π