Dear All,
I'm starting a new project on Modx Revo 2.2.1-pl and my customer and I are very concerned about security. I wanted to share my thoughts with the community.
After looking a bit at all places and doing some research, here is what I came up with.
Manager : I added an .htaccess file at the manager root :
<limit GET POST>
order deny,allow
deny from all
allow from <customer office static IP>
</limit>
Core : I know that the core directory should be moved away from the web root, but it's impossible in our case so I added the following .htaccess in the core directory :
<limit GET POST>
order deny,allow
deny from all
</limit>
In this case I'm wondering if it's as effective as removing it from the web root ?
Ajax Requests : In order to secure my ajax requests, I created a document as en entrypoint of all ajax requests.
This blank document calls a snippet that refers to a static file (the directory where is located the snippet's file is also protected with the same .htaccess used in the core/ directory).
I setup a plugin that will set the $_SESSION['Token'] var OnWebPageInit excluding my Ajax "entrypoint" document.
I test this var at each ajax request if it's set in my snippet. If it's not set it means that someone is trying to access the entrypoint directly (ie : no document was visited before) and I can easily forbid any code execution.
Thank you very much for your thoughts,
[ed. note: 111Studio last edited this post 12 years ago.]