Security Infrastructure
Security Infrastructure
GeniXCMS implements a multi-layered security architecture designed to protect both the administration dashboard and custom themes from a wide range of web vulnerabilities. By enforcing modern standards like Content Security Policy (CSP), CSRF protection, and HTTP Header Hardening, the framework provides a secure-by-default environment for developers.
🛡️ Content Security Policy (CSP)
CSP is the primary defense against Cross-Site Scripting (XSS) and data injection attacks. GeniXCMS dispatches a robust CSP header with every response.
📜 Default Policy Directives
| Directive | Policy | Description |
|---|---|---|
default-src |
'self' |
Disallows all external resources by default. |
script-src |
'self', 'unsafe-inline', trusted CDNs |
Allows internal scripts and whitelisted providers (JSDelivr, JQuery CDN, Cloudflare). |
style-src |
'self', inline styles, trusted CDNs |
Allows internal CSS and whitelisted style providers. |
img-src |
'self', data:, * (HTTPS) |
Allows internal images, base64 data URIs, and any secure external image. |
font-src |
'self', data:, Google Fonts |
Allows internal fonts and trusted font providers (gstatic.com). |
object-src |
'none' |
Completely disables plugins like Flash or Silverlight. |
🔌 Extending the Whitelist
If your custom theme or module requires resources from a new third-party CDN (e.g., Swiper, Chart.js, or Google Maps), you must register the domain using the system_security_headers_args filter hook.
Example: Whitelisting a New API & CDN
Hooks::attach('system_security_headers_args', function($rules) {
// Allow scripts from a new CDN
$rules['script-src'][] = "https://cdn.my-library.com";
// Allow AJAX/Fetch requests to an external API
$rules['connect-src'][] = "https://api.my-data-source.com";
return $rules;
});🔒 HTTP Header Hardening
In addition to CSP, GeniXCMS automatically injects the following security-focused headers into every response:
X-Content-Type-Options: nosniff: Prevents browser-side MIME sniffing, forcing strict adherence to the declaredContent-Type.X-Frame-Options: SAMEORIGIN: Protects against Clickjacking by preventing the site from being embedded in an<iframe>on external domains.X-XSS-Protection: 1; mode=block: Enforces the built-in XSS filter in modern browsers.Referrer-Policy: strict-origin-when-cross-origin: Enhances user privacy by limiting referrer data sent to third-party sites.
🔑 CSRF Protection
Cross-Site Request Forgery is mitigated using a robust, token-based validation system.
- Automated Generation: Managed by the
Tokenclass. - Controller Validation: Integrated into all core controllers.
- Dashboard Constant: The
TOKENconstant is globally available in the admin panel for easy form integration.
Implementation Example:
<form action="/submit" method="POST">
<input type="hidden" name="token" value="{$token}">
<!-- Form fields... -->
<button type="submit">Complete Operation</button>
</form>🛠️ Troubleshooting Violations
If you see "Refused to load..." or "Content Security Policy..." errors in your browser's developer console:
- Check Protocol: Ensure you are using
https://. GeniXCMS blocks insecurehttp://external assets by default. - Verify Domain: Is the domain in our Default Whitelist? If not, use the
system_security_headers_argshook. - AJAX Connectivity: If your JavaScript
fetch()orXMLHttpRequestis failing, ensure the API domain is added to theconnect-srcdirective.
unsafe-inline and unsafe-eval are currently permitted for compatibility with legacy components (like elFinder), developers are encouraged to move towards nonce-based or hash-based script execution for custom developments.See Also
- Hooks Reference — For a deep dive into using policy filtering hooks.
- Vendor Management — How integrated libraries are secured.