Line 9: |
Line 9: |
| | | |
| '''Encryption''' | | '''Encryption''' |
− | * User passwords can be encrypted in database. | + | * User passwords can be encrypted in database <sup>[*8]</sup> <sup>[*7]</sup>. |
− | * Database technical password can be encoded in the [[Configuration_file|Dolibarr configuration file]] (conf.php). | + | * Database technical password can be obfuscated the [[Configuration_file|Dolibarr configuration file]] (conf.php) <sup>[*8]</sup>. |
− | * Possibility to force HTTPS. | + | * Possibility to force HTTPS <sup>[*9]</sup>. |
| | | |
| '''Hacks and cracks''' | | '''Hacks and cracks''' |
− | * Works with register_globals on or off (off highly recommended). | + | * Works with register_globals on or off (off highly recommended) <sup>[*2]</sup>. |
− | * Works with PHP safe_mode on or off (on recommended). | + | * Works with PHP safe_mode on or off (on recommended) <sup>[*3]</sup>. |
| * Production option to disable any technical information leakage (debug, error stacktrace, version informations) <sup>[*6]</sup> (TODO Not yet available). | | * Production option to disable any technical information leakage (debug, error stacktrace, version informations) <sup>[*6]</sup> (TODO Not yet available). |
− | * Protection against SQL injection. | + | * Protection against SQL injection <sup>[*2]</sup>. |
− | * Protection against XSS injection (Cross Site Scripting). | + | * Protection against XSS injection (Cross Site Scripting) <sup>[*1]</sup>. |
− | * Protection against CSRF (Cross Site Request Forgery). | + | * Protection against CSRF (Cross Site Request Forgery) <sup>[*5]</sup>. |
| | | |
| '''Pages and files access''' | | '''Pages and files access''' |
− | * Pages and contents are protected by permissions (granted on groups or users) for each functional module. | + | * Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) <sup>[*4]</sup> <sup>[*10]</sup>. |
− | * Files saved by Dolibarr are stored in a different root directory than web application (so they can not be downloaded without passing by the Dolibarr wrapper). | + | * Files saved by Dolibarr are stored in a different root directory than web application (so they can not be downloaded without passing by the Dolibarr wrapper) <sup>[*3]</sup> <sup>[*10]</sup>. |
− | * Dolibarr directories content can't be accessed even if Apache option Indexes has be forgotten to on (should not). | + | * Dolibarr directories content can't be accessed even if Apache option Indexes has be forgotten to on (should not) <sup>[*3]</sup>. |
| | | |
| '''Login protection''' | | '''Login protection''' |
− | * Delay anti brute force cracking on login page. | + | * Delay anti brute force cracking on login page <sup>[*7]</sup>. |
− | * Graphical code (CAPTCHA) against robots on login page. | + | * Graphical code (CAPTCHA) against robots on login page <sup>[*7]</sup>. |
− | * No passwords in logs, even in technical logs. | + | * No passwords in logs, even in technical logs <sup>[*7]</sup>. |
| * Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins. | | * Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins. |
| | | |
| '''Viruses''' | | '''Viruses''' |
| * Possibility to run an anti-virus on every uploaded file. | | * Possibility to run an anti-virus on every uploaded file. |