Security Configuration

If running Perch or Perch Runway in particularly sensitive environments, you can switch the system into Paranoid Security Mode in the perch/config/config.php file.

define('PERCH_PARANOID', true);

This mode enables a set of smaller security hardening features in one easy step. If you want to change the defaults or disable certain subfeatures, you can do that with the individual configuration options detailed below.

Users and passwords

Paranoid security mode affects user accounts in the following ways:

These subfeatures can be individual controlled with the following settings:

Setting Value Default
PERCH_MAX_FAILED_LOGINS The number of failed logins before account lockout 10
PERCH_AUTH_LOCKOUT_DURATION The amount of time to lock the user account for after failed logins 1 HOUR
PERCH_STRONG_PASSWORDS Enable the ‘strong’ password rule set true
PERCH_PASSWORD_MIN_LENGTH The minimum length for a password 6
PERCH_FORCE_SECURE_COOKIES Enforce the use of secure cookies (requires SSL/TLS) true

When PERCH_MAX_FAILED_LOGINS is set, the account is locked for PERCH_AUTH_LOCKOUT_DURATION when that limit is hit. At that point, the user is sent an email telling them their account has been locked. Nothing changes on the login form when this happens (we want an attacker to waste their effort, not learn that the account has been locked and improve their strategy).

The user can unlock their own account with a password reset - they’re sent a token to do so in the email. This means there’s never a requirement for a higher-level user to unlock a locked account. It’s also impossible for an attacker to completely disable the system by locking everyone out at once. It’s safe to unlock using a password reset, as if the attacker has access to the email account there’s no need to be brute forcing the login in the first place, they could just reset the password over email.

Files and uploads

Paranoid security mode affects file handling in the following ways:

These subfeatures can be individual controlled with the following settings:

Setting Value Default
PERCH_VERIFY_UPLOADS Force uploaded files to be verified for type true

File uploads are checked for the following, based on OWASP recommendations

The whitelist of mime types is held within in the perch/config/filetypes.ini file. This has been updated for Perch 2.8.26, so if you’re updating an older version you’ll need to copy it over.

With PERCH_VERIFY_UPLOADS enabled, no file uploads are accepted unless they match all of the above rules. This depends on having the PHP FileInfo extension configured and working to be able to detect file mime types.

Image field types (type="image") default to only accepting the mime types from the webimage group specified in the filetypes.ini file. These are images that you’d normally embed on web pages (jpg, png, gif, svg, webp).

File field types (type="file") defaults to these groups: pdf, text, richtext, xml, zip, audio, video, office.

You can override these defaults on a field level by specifying the accept attribute with a comma-delimited list of group names from the filetypes.ini file.

<perch:content id="file" type="file" accept="pdf,zip">

You can also limit the acceptable file size in bytes:

<perch:content id="file" type="file" accept="pdf,zip" max-file-size="2000000">