Security Best Practices
Essential security measures for production deployment
Critical: Review and implement ALL security measures before deploying to production.
Authentication & Authorization
Password Security
- Bcrypt Hashing: All passwords hashed with
PASSWORD_BCRYPT - Minimum Length: 8 characters enforced
- No Plain Text: Passwords never stored in plain text
- Reset Tokens: Time-limited (24 hours) and single-use
Permission System
- Middleware Protection: Use
PermissionMiddlewareon sensitive routes - Server-Side Checks: Never rely on client-side permission checks
- Granular Permissions: 21 permissions across 4 categories
- Admin Override: Admin users bypass permission checks
Example Usage:
use App\Middleware\PermissionMiddleware;
// In controller
PermissionMiddleware::require('vm.create');
// Check multiple permissions
PermissionMiddleware::require(['vm.create', 'vm.start'], true);
// Admin only
PermissionMiddleware::requireAdmin();Email Verification
- Mandatory Verification: Users must verify email before login
- Unique Tokens: Each verification link is unique and single-use
- Admin Approval: Additional layer after email verification
- Prevents Spam: Reduces fake account creation
Database Security
SQL Injection Prevention
- Prepared Statements: All queries use PDO prepared statements
- Parameter Binding: User input never concatenated into SQL
- Input Validation: Validate and sanitize all user input
Example:
// GOOD ✓
$stmt = $db->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$userId]);
// BAD ✗
$query = "SELECT * FROM users WHERE id = $userId";Transactions
- Atomic Operations: Credit operations use database transactions
- Rollback on Error: Automatic rollback if any step fails
- Data Integrity: Ensures consistent state
API Security
Proxmox API Credentials
- Environment Variables: Store credentials in
.env - Never Commit: Add
.envto.gitignore - Token-Based Auth: Use API tokens, not passwords
- Least Privilege: Grant minimum required permissions
File Permissions: Set
.env to 600 (owner read/write only)
chmod 600 .envPayPal Integration
- Sandbox Testing: Test thoroughly before going live
- Webhook Verification: Verify PayPal webhook signatures (recommended)
- HTTPS Required: PayPal requires SSL/TLS in production
- Error Handling: Log all payment errors for review
Session Security
- Secure Cookies: Use
httponlyandsecureflags - Session Regeneration: Regenerate session ID on login
- Timeout: Implement session timeout for inactive users
- CSRF Protection: Use CSRF tokens for state-changing operations
Recommended php.ini Settings:
session.cookie_httponly = 1
session.cookie_secure = 1
session.use_strict_mode = 1
session.cookie_samesite = "Strict"HTTPS/SSL
SSL/TLS Configuration
- Required for Production: Always use HTTPS in production
- Let's Encrypt: Free SSL certificates
- Force HTTPS: Redirect HTTP to HTTPS
- HSTS Header: Enable HTTP Strict Transport Security
Apache .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Audit Logging
- Action Tracking: Log all important user actions
- IP Recording: Store IP addresses for security review
- Timestamp: All logs include precise timestamps
- Admin Review: Regular audit log review recommended
Logged Actions:
- User login/logout
- Group purchases
- Credit transactions
- VM operations
- Admin actions
- Group expiry (via cron)
Production Checklist
Pre-Deployment Checklist
Cron Job Setup
Group Expiry Cron
Set up the cron job to run daily at midnight:
crontab -eAdd this line:
0 0 * * * /usr/bin/php /path/to/Proxmox-Dashboard/bin/expire_groups.php >> /var/log/proxmox-dashboard-cron.log 2>&1
Note: Replace
/path/to/Proxmox-Dashboard with your actual installation
path.