Total CMS Security Guide
This guide provides essential security recommendations for protecting your Total CMS installation and data.
Table of Contents
Section titled “Table of Contents”- Total CMS Security Guide
Protecting the tcms-data Folder
Section titled “Protecting the tcms-data Folder”The tcms-data folder contains all your CMS content, including potentially sensitive information (API keys, user data, collection data). It’s crucial to protect this directory from unauthorized web access.
Automatic Apache Protection: Total CMS automatically creates a .htaccess file in the tcms-data folder to deny direct web access when using Apache. If you’re using Nginx or another web server, you must configure protection manually (see below).
Best Practice: Move Outside Document Root
Section titled “Best Practice: Move Outside Document Root”The most secure approach is to relocate the tcms-data folder outside your web server’s document root:
-
Move the folder to a location outside your public web directory
Terminal window # Example: Move from /var/www/html/tcms-data to /var/www/tcms-datamv /var/www/html/tcms-data /var/www/tcms-data -
Update the configuration in the Admin Dashboard:
- Navigate to Admin → Settings
- Update the “Data Directory” field to the new location
- Save the settings
-
Ensure proper permissions:
Terminal window chmod -R 755 /var/www/tcms-datachown -R www-data:www-data /var/www/tcms-data # Adjust user/group as needed
Alternative: Restrict Access Within Document Root
Section titled “Alternative: Restrict Access Within Document Root”If you must keep tcms-data within the document root, configure your web server to block access.
Apache (.htaccess)
Section titled “Apache (.htaccess)”Automatic Protection: Total CMS automatically creates a .htaccess file inside the tcms-data folder when it’s first initialized. This file denies all direct web access to the folder contents.
The auto-generated .htaccess file contains:
# Deny direct access to all files and folders in tcms-data# This protects sensitive data including API keys, collections, and user data
<IfModule mod_authz_core.c> Require all denied</IfModule><IfModule !mod_authz_core.c> Order deny,allow Deny from all</IfModule>Alternative Approach: You can also add this to your root .htaccess file:
# Define 404 pageErrorDocument 404 /404/
# Block access to tcms-data directoryRedirectMatch 404 ^/tcms-data/Required for Nginx Users: Unlike Apache, Nginx does not process .htaccess files. You must add this protection to your server block configuration manually.
Add this to your Nginx server block configuration:
# Block access to tcms-data directorylocation ~ ^/tcms-data/ { deny all; return 404;}
# More comprehensive blocking (optional)location ~ ^/tcms-data/.*\.(json|md|txt|log)$ { deny all; return 404;}Required for Caddy Users: Caddy does not process .htaccess files. You must add this protection to your Caddyfile manually.
Add this to your Caddyfile:
# Block access to tcms-data directory@blocked path /tcms-data/*respond @blocked 404
# Or use a more explicit approachhandle /tcms-data/* { respond 404}Authentication and Session Security
Section titled “Authentication and Session Security”Strong Password Requirements
Section titled “Strong Password Requirements”- Enforce minimum password length (8+ characters recommended)
- Require a mix of uppercase, lowercase, numbers, and special characters
- Implement password history to prevent reuse
- Consider implementing two-factor authentication (2FA)
Session Security
Section titled “Session Security”Total CMS implements several session security measures:
- Session regeneration on login
- Secure session cookies (when using HTTPS)
- CSRF protection on all state-changing operations
Account Security
Section titled “Account Security”- Limit login attempts to prevent brute force attacks
- Implement account lockout after failed attempts
- Log authentication events for monitoring
- Regularly review user accounts and remove inactive ones
Content Security
Section titled “Content Security”HTML Sanitization
Section titled “HTML Sanitization”Total CMS sanitizes HTML content by default to prevent XSS attacks. This is especially important for user-generated content.
⚠️ Warning: Disabling HTML Sanitization
While it’s possible to disable HTML sanitization for certain fields, this significantly increases security risks:
{ "htmlclean" : false}Risks of disabling sanitization:
- Cross-Site Scripting (XSS): Malicious scripts can steal user sessions, redirect users, or modify page content
- HTML Injection: Attackers can inject malicious HTML that breaks page layouts or functionality
- Data Theft: Scripts can access and transmit sensitive data to external servers
- Phishing: Malicious content can mimic legitimate forms to steal credentials
If you must allow raw HTML:
- Only enable it for trusted administrator accounts
- Never allow it for public-facing content
- Implement Content Security Policy headers
- Regularly audit content for suspicious code
- Consider using a more restrictive whitelist approach
SVG Security
Section titled “SVG Security”SVG files can contain JavaScript and other potentially dangerous content. Total CMS automatically sanitizes SVG uploads to remove:
<script>tags- Event handlers (onclick, onload, etc.)
- External references
- JavaScript in URLs
{ "svgclean" : false}File Upload Security
Section titled “File Upload Security”Best Practices
Section titled “Best Practices”- File Type Restrictions: Only allow necessary file types
- File Size Limits: Set appropriate maximum file sizes
- Filename Sanitization: Special characters are automatically removed
- MIME Type Verification: Files are checked beyond just extensions
- Upload Directory: Ensure upload directories are not executable
Configuration
Section titled “Configuration”Configure upload restrictions in your collection schemas:
{ "rules" : { "size" : {"min":0,"max":300}, "filetype" : ["image/jpeg", "image/png", "application/pdf"], "filename" : ["image.jpg"], }}HTTPS and Transport Security
Section titled “HTTPS and Transport Security”Always Use HTTPS
Section titled “Always Use HTTPS”- Obtain an SSL certificate (Let’s Encrypt provides free certificates)
- Configure your web server to use HTTPS
- Implement HTTP to HTTPS redirects
- Enable HSTS (HTTP Strict Transport Security)
Apache HTTPS Configuration
Section titled “Apache HTTPS Configuration”# Redirect HTTP to HTTPSRewriteEngine OnRewriteCond %{HTTPS} offRewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
# Enable HSTSHeader always set Strict-Transport-Security "max-age=31536000; includeSubDomains"Nginx HTTPS Configuration
Section titled “Nginx HTTPS Configuration”# Redirect HTTP to HTTPSserver { listen 80; server_name example.com; return 301 https://$server_name$request_uri;}
# HTTPS server blockserver { listen 443 ssl http2; server_name example.com;
# Enable HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;}Caddy HTTPS Configuration
Section titled “Caddy HTTPS Configuration”# Caddy automatically handles HTTPS, but you can be explicitexample.com { header Strict-Transport-Security "max-age=31536000; includeSubDomains"}Additional Security Headers
Section titled “Additional Security Headers”Total CMS automatically sets several security headers, but you can enhance them:
Apache
Section titled “Apache”# Security headersHeader set X-Content-Type-Options "nosniff"Header set X-Frame-Options "SAMEORIGIN"Header set X-XSS-Protection "1; mode=block"Header set Referrer-Policy "strict-origin-when-cross-origin"Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"# Security headersadd_header X-Content-Type-Options "nosniff" always;add_header X-Frame-Options "SAMEORIGIN" always;add_header X-XSS-Protection "1; mode=block" always;add_header Referrer-Policy "strict-origin-when-cross-origin" always;add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;header { X-Content-Type-Options nosniff X-Frame-Options SAMEORIGIN X-XSS-Protection "1; mode=block" Referrer-Policy strict-origin-when-cross-origin Permissions-Policy "geolocation=(), microphone=(), camera=()"}Regular Security Maintenance
Section titled “Regular Security Maintenance”Keep Software Updated
Section titled “Keep Software Updated”- Total CMS: Regularly check for and install updates
- PHP: Keep PHP version current (8.2+ recommended)
- Web Server: Update Apache/Nginx/Caddy regularly
- Dependencies: Run
composer updateregularly (test first!)
Security Monitoring
Section titled “Security Monitoring”- Access Logs: Regularly review web server access logs
- Error Logs: Monitor PHP and application error logs
- Failed Logins: Track and investigate failed login attempts
- File Changes: Monitor for unexpected file modifications
Backup Strategy
Section titled “Backup Strategy”- Regular Backups: Automate daily backups of tcms-data
- Offsite Storage: Store backups in a separate location
- Test Restores: Regularly verify backup integrity
- Version Control: Consider using Git for configuration files
Security Checklist
Section titled “Security Checklist”- tcms-data folder is protected or moved outside document root
- HTTPS is enabled with valid certificate
- Strong passwords are enforced
- File upload restrictions are configured
- Security headers are properly set
- Regular backups are configured
- Software is kept up to date
- Access logs are monitored
- HTML sanitization is enabled (unless explicitly required otherwise)
Emergency Response
Section titled “Emergency Response”If you suspect a security breach:
-
Immediate Actions:
- Change all passwords
- Review access logs
- Check for unauthorized file changes
- Clear the cache:
/emergency/cache/clear
-
Investigation:
- Review user accounts for unauthorized access
- Check for suspicious files in upload directories
- Examine database/JSON files for injected content
-
Recovery:
- Restore from clean backup if necessary
- Update all software
- Implement additional security measures
- Document the incident for future reference
Additional Resources
Section titled “Additional Resources”Remember: Security is an ongoing process, not a one-time setup. Regular reviews and updates are essential for maintaining a secure Total CMS installation.