Harden request headers, login interface and passwords to increase backend security.
composer require jvmtech/neos-hardening
- Remove Neos version info from request headers *
- Set min password strength requirements
- Change the default login url "/neos" to something like "/neos-random-suffix" *:
JvMTECH: NeosHardening: loginUri: 'neos-random-suffix'
- Replace the dynamic login url check with a custom RegEx (not needed if you just replace
loginUri
):JvMTECH: NeosHardening: loginUriRegex: '/^(neos)?($|\/)/'
- Limit login interface access to specified ip addresses:
JvMTECH: NeosHardening: allowedIPs: IPv4: - '172.20.30.40' - '172.20.0.0/24' IPv6: - '2001:0db8:85a3:0000:0000:8a2e:0370:7334'
- Define password strength requirements, defaults:
JvMTECH: NeosHardening: checkPasswordStrengthOnAddUser: true checkPasswordStrengthOnSetUserPassword: true passwordRequirements: minLength: 8 upperAndLowerCase: true numbers: true specialChars: false maxConsecutiveLetters: 0 # disabled maxConsecutiveNumbers: 0 # disabled
- An example for secure passwords (should be your standard because you use a password manager, right? 😉):
JvMTECH: NeosHardening: passwordRequirements: minLength: 16 upperAndLowerCase: true numbers: true specialChars: true maxConsecutiveLetters: 3 maxConsecutiveNumbers: 3 # "djxAHQC0bzc_tjd9nmg" would fail # "djx@HQC0bzc_tjd9nmg" would work
Hiding the Neos version in the request headers and moving the login to an new url is nothing else than "security by obsurity".
Yes. But it's another layer to make it a little bit harder to get into your system. Therefore, it's a low-hanging fruit we should take.
by jvmtech.ch