Logistack Security: Difference between revisions
Lee Miller (talk | contribs) Created page with "== Overview == 95% of the pages in Logistack are hidden to Admins and Superusers, which provides amazing security in its own right. Beyond that, all data is protected inside a MySQL database. == Tests == * [https://securityheaders.com/?q=pro.logistack.co.uk&followRedirects=on Security Header] - A+ * [https://www.ssllabs.com/ssltest/analyze.html?d=pro.logistack.co.uk SSL Labs] - A A A A * [https://developer.mozilla.org/en-US/observatory/analyze?host=pro.logistack.co.u..." |
Lee Miller (talk | contribs) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Overview == | == Overview == | ||
95% of the pages in Logistack | 95% of the pages in Logistack can only be seen by Admins and Superusers. | ||
Beyond that, all data is protected inside a MySQL database. | Beyond that, all data is protected inside a MySQL database. | ||
| Line 15: | Line 15: | ||
Most protected pages are set to display errors, which under ordinary circumstances would be asking for trouble! However, the way I've set things up, to make providing support easier, is to use redirects, let me explain ... | Most protected pages are set to display errors, which under ordinary circumstances would be asking for trouble! However, the way I've set things up, to make providing support easier, is to use redirects, let me explain ... | ||
This is what a normal PHP error looks like <code>Parse error: syntax error, unexpected '}', expecting ')' in /var/www/app.php on line 7</code> | This is what a normal PHP error looks like; | ||
<code>Parse error: syntax error, unexpected '}', expecting ')' in /var/www/app.php on line 7</code> | |||
The issue is that when this displays publically, it provides an "in." Showing <code>/var/www/app.php</code> (or any full server path) to the public is classic information disclosure. On its own, it’s not a hack, but it materially helps attackers. | |||
With Logistack, when an error like this occurs, a normal user (non-admin), is redirected to a page that says, "An error occurred please inform admin." And when admin visit this page, they're provided with a log number, and a line of code that tells me, exactly what's wrong, without compromising the security of your website. | |||
What would normally be a 500 error at best, becomes a tool to fix your site. | |||
Latest revision as of 19:30, 14 October 2025
Overview
95% of the pages in Logistack can only be seen by Admins and Superusers.
Beyond that, all data is protected inside a MySQL database.
Tests
- Security Header - A+
- SSL Labs - A A A A
- Mozilla HTTP Observatory - A+
Extra Protection
Most protected pages are set to display errors, which under ordinary circumstances would be asking for trouble! However, the way I've set things up, to make providing support easier, is to use redirects, let me explain ...
This is what a normal PHP error looks like;
Parse error: syntax error, unexpected '}', expecting ')' in /var/www/app.php on line 7
The issue is that when this displays publically, it provides an "in." Showing /var/www/app.php (or any full server path) to the public is classic information disclosure. On its own, it’s not a hack, but it materially helps attackers.
With Logistack, when an error like this occurs, a normal user (non-admin), is redirected to a page that says, "An error occurred please inform admin." And when admin visit this page, they're provided with a log number, and a line of code that tells me, exactly what's wrong, without compromising the security of your website.
What would normally be a 500 error at best, becomes a tool to fix your site.