Security FAQ
We take security very seriously at Pixel & Tonic, and work to ensure Craft provides a safe and secure platform for all who use it. As a result, Craft CMS is trusted by corporations like Microsoft, Apple, Reddit, Adobe, BigCommerce, Netflix, AT&T, McDonald’s, and Dell, plus numerous government, financial, and educational organizations.
Below are answers to frequently asked questions we receive that pertain to Craft security.
What security practices do Pixel & Tonic employ? #
Our codebases and their dependencies undergo security reviews by our own team and third-party security researchers regularly, both by manually inspecting the code and using automated auditing tools and we regularly interact with security experts to stay on top of best practices and learn about new attack vectors.
What measures have been implemented to secure Craft at a core level? #
Craft provides the following built-in security measures:
- Craft and Yii use PDO for all database queries, and all dynamic values are parameterized, helping prevent SQL injection attacks.
- Craft validates sensitive cookie data using a private key to ensure request cookies have not been tampered with.
- Craft uses CSRF token validation by default to help prevent CSRF attacks.
- Twig automatically escapes HTML entities that are dynamically output by default, helping avoid XSS attack vectors.
- Untrusted HTML is sanitized with HTML Purifier by default.
- Untrusted SVG documents are sanitized with SVG Sanitizer by default.
- Uploaded file names are cleansed, and images are resaved on upload to ensure any malicious code embedded within the image is stripped away.
- Sensitive information such as passwords and security keys are redacted from error messages and logs.
- Craft verifies new email addresses on user accounts before accepting them by default.
- Craft temporarily locks user accounts after too many unsuccessful login attempts by default.
- Craft requires users to re-enter their password within the past 5 minutes by default before performing potentially-malicious actions, including changing emails or passwords or assigning new user roles, groups, or permissions.
- Craft provides granular permissions on user accounts and user groups via a simple and intuitive permission system.
- Craft stores the user agent string in identity cookies by default, helping avoid session/cookie hijacking.
- Craft will deny all requests to start a session that don’t present a user agent string or IP address, helping prevent direct socket connections.
- Craft 4 requires PHP 8.0.2+.
- Craft uses OpenSSL to generate cryptographically-secure email verification codes, password reset tokens and other strings.
- Craft will use the native PHP password_hash() method if it is available, which defaults to the blowfish algorithm, arguably the most secure and reliable method of password encryption. If it is not available, it will use PHP’s native crypt() method using the blowfish algorithm with a strong, cryptographically-secure random salt.
- Session cookies are set to HTTP only.
- Craft will set the
secure
flag on all cookies sent over SSL by default. - Craft sets the
X-Frame-Options: SAMEORIGIN
header on all Control Panel requests, helping prevent clickjacking. - Craft sets the
X-Content-Type-Options: nosniff
header on all Control Panel requests, helping prevent some Ajax XSS attack vectors on older versions of Internet Explorer. - Control Panel requests use the
origin-when-cross-origin
referrer policy, preventing outbound links from learning the full URL of the Control Panel. - Craft uses time-safe methods for sensitive comparisons like checking the equality of password hashes, helping prevent timing attacks.
- Craft’s default folder structure encourages people to keep application files above the web root, and the System Report utility in the Control Panel will warn you if that appears not to be the case.
Additionally, Craft provides several config settings that can be set to further strengthen security, which are listed in the Securing Craft guide.
What happens in the event that a security issue is reported? #
When a security issue is reported, we confirm its validity quickly and implement a fix as soon as possible.
If there is a public exploit, we’ll mark the update as critical, which causes an alert to be shown across the top of all unpatched Craft installations.
How can I find out about new security incidents? #
There are a few ways to keep track of security-related incidents and improvements:
- You can watch the craftcms/cms repository on GitHub. To only receive notifications for security alerts such as published security advisories, choose Custom → Security alerts in the watch settings.
- We document all security-related improvements in the Craft CMS changelog. Release notes are available via the Craft CMS Releases Atom feed.
- We provide a Critical Releases Atom feed with the release notes for all Craft CMS and plugin releases marked as critical.
I’ve found a security vulnerability. How should I report it? #
If you’ve found a security vulnerability in one of our codebases, please read and follow our Security Policy.
Will you accommodate special security requirements? #
If you have particular security requirements, please contact us so we can review them with you and develop a plan for addressing them.