Dotkernel Admin provides all necessary tools to implement safe applications, however you will need to manually make use of some of them. This section will go over the provided tools and any steps you need to follow in order to use them successfully, as well as a few general considerations.
In order to create safe forms, Dotkernel Admin makes use of laminas/laminas-form and laminas/laminas-inputfilter. All shipped forms have their inputs validated, and it is strongly recommended any custom forms added also make use of input filters to validate user input.
Dotkernel Admin provides protection against CSRF attacks by using CSRF token creation and validation, available for all forms.
All forms provided make use of CSRF token validation, but you must ensure to implement this step for any new forms you create.
This step is described in the Set Up CSRF tutorial.
This project makes use of dot-rbac-guard and dot-rbac to handle access control.
The default modules have already been configured, but any custom functionality will require additional configuration to make sure it is protected. Update the configuration files of both these packages whenever you add new routes or roles.
This step is described in the Configure Authorizations tutorial.
Make sure your session cookie settings are properly set up for usage in production by reviewing the config/autoload/session.global.php file.
Pay extra attention to the following keys, to make sure your desired values are set:
session_config.cookie_httponlysession_config.cookie_samesitesession_config.cookie_secureAdmin ships with a demo admin account, with public identity and password.
Make sure to change or remove this demo account when going live.
Dotkernel Admin uses composer to handle PHP dependencies.
In time, make sure to review any common vulnerabilities and exposures for your dependencies.
You may also keep an eye on the Dotkernel Admin changelog for any updates relevant to your project.
This project uses npm to handle JavaScript dependencies.
Keep an eye on any vulnerabilities whenever using npm to install or update packages.
You may use the
npm auditcommand to check for vulnerabilities in the currentnode_modules.
*.global.php and *.php.dist configuration files are visible to the VCS, make sure not to include sensitive data in commits.*.local.php configuration files are ignored by the VCS by default and are the recommended place for sensitive data such as API keys.config/autoload/cors.global.php to ensure your application is accessible by your preferred origins.development mode is correctly set - do not enable development mode in a production environment.composer development-statusRead more about using Laminas Continuous Integration.