Security FAQ

We take security very seriously at Pixel & Tonic, and work to ensure Craft provides a safe and secure platform for all who use it. As a result, Craft CMS is trusted by corporations like Microsoft, Apple, Reddit, Adobe, BigCommerce, Netflix, AT&T, McDonald’s, and Dell, plus numerous government, financial, and educational organizations.

Below are answers to frequently-asked questions we receive that pertain to Craft security.

What security practices do Pixel & Tonic employ? #

We base our security practices on OWASP SAMM methodologies and Microsoft’s Agile SDL recommendations, and we regularly interact with security experts to stay on top of best practices and learn about new attack vectors.

Our codebases and their dependencies undergo security reviews by our own team and third party security researchers on a regular basis, both by manually inspecting the code and using automated auditing tools.

What measures have been put in place to secure Craft at a core level? #

Craft provides the following built-in security measures:

  • Craft and Yii use PDO for all database queries, and all dynamic values are parameterized, helping prevent SQL injection attacks.
  • Craft validates sensitive cookie data using a private key to ensure request cookies have not been tampered with.
  • Craft uses CSRF token validation by default to help prevent CSRF attacks.
  • Twig automatically escapes HTML entities that are dynamically output by default, helping avoid XSS attack vectors.
  • Untrusted HTML is sanitized with HTML Purifier by default.
  • Untrusted SVG documents are sanitized with SVG Sanitizer by default.
  • Uploaded file names are cleansed, and images are resaved on upload to ensure any malicious code embedded within the image is stripped away.
  • Sensitive information such as passwords and security keys are redacted from error messages and logs.
  • Craft verifies new email addresses on user accounts before accepting them by default.
  • Craft temporarily locks user accounts after too many unsuccessful login attempts by default.
  • Craft requires that users have re-entered their current password within the past 5 minutes by default, before performing potentially-malicious actions including changing emails or passwords, or assigning new user roles, groups, or permissions.
  • Craft provides granular permissions on user accounts and user groups via a simple and intuitive permission system.
  • Craft stores the user agent string in identity cookies by default, helping avoid session/cookie hijacking.
  • Craft will deny all requests to start a session that don’t present a user agent string or IP address, helping prevent direct socket connections.
  • Craft requires PHP 7.0+.
  • Craft uses OpenSSL to generate cryptographically-secure email verification codes, password reset tokens, and other strings.
  • Craft will use the native PHP password_hash() method if it is available, which defaults to the blowfish algorithm, arguably the most secure and reliable method of password encryption. If it is not available, it will use PHP’s native crypt() method using the blowfish algorithm with a strong, cryptographically-secure random salt.
  • Session cookies are set to HTTP only.
  • Craft will set the secure flag on all cookies sent over SSL by default.
  • Craft sets the X-Frame-Options: SAMEORIGIN header on all Control Panel requests, helping prevent clickjacking.
  • Craft sets the X-Content-Type-Options: nosniff header on all Control Panel requests, helping prevent some Ajax XSS attack vectors on older versions of Internet Explorer.
  • Control Panel requests use the origin-when-cross-origin referrer policy, preventing outbound links from learning the full URL of the Control Panel.
  • Craft uses time-safe methods for sensitive comparisons like checking the equality of password hashes, helping prevent timing attacks.
  • Craft’s default folder structure encourages people to keep application files above the web root, and the System Report utility in the Control Panel will warn you if that appears to not be the case.

Additionally, Craft provides several config settings that can be set to further strengthen security, which are listed in the Securing Craft guide.

What happens in the event that a security issue is reported? #

When a security issue is reported, we work to quickly confirm its validity, and implement a fix as quickly as possible.

If there is a public exploit, we’ll mark the update as critical, which causes an alert to be shown across the top of all unpatched Craft installations.

How can I be notified when a security incident occurs? #

You can subscribe to Craft’s releases RSS feed, or watch releases on GitHub, to be notified when new versions have been released. We list all security-related improvements under “Security” headings in the changelog, and new releases that contain security improvements will get a special mention from our @craftcms Twitter account.

I’ve found a security vulnerability. How should I report it? #

If you’ve found a security vulnerability in one of our codebases, please read and follow our Security Policy.

Will you accommodate special security requirements? #

If you have special security requirements, please contact us so we can review them with you and develop a plan for addressing them.