FUEL CMS has several security options you can change and they are listed below. In addition, cookie information is encrypted by default and you can specify your own encryption key in the configuration settings like any other CI application.
FUEL CMS 1.0 improved the security hashing used for storing passwords in the database.
FUEL Configuration Security Settings
The FUEL config provides several security settings to:
- restrict_to_remote_ip - restrict FUEL to only certain IP addresses (array only value so can include multiple).
- default_pwd - default password to alert against. The default password is admin.
- admin_enabled - allow use of the CMS admin. The default is FALSE.
- num_logins_before_lock - the number of times someone can attempt to login before they are locked out for 1 minute (or whatever is set for the seconds_to_unlock). The default is 3.
- seconds_to_unlock - the number of seconds to lock out a person upon reaching the max number failed login attempts. The default is 60.
- dev_password - if you set a dev password, the site will require a password to view. Testing your site may not work if a dev password is set. Default is no password.
Module Specific Security Settings
Additionally, the following module specific security settings exist:
- sanitize_input - cleans the input before inserting or updating the data source.
A value of TRUE, will apply the xss_clean function.
A value of FALSE, will apply no sanitation functions.
You can use an array to appy more then one function to sanitize your input.
The list of functions to sanitize the input is set by the module_sanitize_funcs FUEL configuration value under the security settings.
The default values are listed below:
- xss = xss_clean
- php = encode_php_tags
- template = php_to_template_syntax
- entities = entities
- sanitize_files (was sanitize_images) - uses xss_clean function on images.