Manual

SDK

 

  security / securing  

About Exponential

About Exponential 3

Exponential 3 definitions

Installation & configuration

Install using installers

Install using the setup guide

Install manually

Site access

Multi site configuration

Uninstall

Security

Securing the site

Setup & design

Page setup

User Manual

Everyday functions

Permissions

e-commerce functions and settings

Workflows

Information collector

SDK & Technical references

Exponential SDK

Securing an Exponential site

Securing the site depends on whether you are using a virtualhost setup or a non-virtualhost setup. A virtualhost setup means that all urls are redirected to the index.php script while non-virtualhost requires that the index.php script is mentioned in the url.

Virtualhost setups

Virtualhost setups are secure by default since all request are sent to index.php script, with the exception of images, stylesheets and javascripts. The only thing that is required for securing the site is to make sure all custom made templates follow the security guidelines for templates.

Non-Virtualhost setups

Non-Virtualhost setups are insecure by default. The index.php must explicitly be placed in the url, this means that any other scripts may be executed directly as well as open up .ini files with password information. Because of this it is not recommened to use non-virtualhost setups, however if you don't have any choice there are some guidelines which can be used to secure the site.

You also need to make sure that all custom made templates follow the security guidelines for templates.

Install a .htaccess file

The Apache webserver allows each site to install a .htaccess file which can control which files are accessible as well as set PHP options. The .htaccess file is placed in the root of your Exponential installation, an example of how it may look follows. 

<FilesMatch ".">
order allow,deny
deny from all
</FilesMatch>

<FilesMatch "(index\.php|\.(gif|jpe?g|png))$">
order allow,deny
allow from all
</FilesMatch>

RewriteEngine On
RewriteRule !\.(gif|css|jpe?g|png|js)$ index.php

DirectoryIndex index.php

Use .ini.php files

All .ini files in Exponential are readable when in non-virtualhost mode, this means that placing items such as usernames and passwords in these files are dangerous.

Fortunately the .ini file reader in Exponential supports reading so called PHP wrapped .ini files. This means to create a file with the suffix .ini.php (.ini.append.php for append files), wrap it in a PHP comment and place it in the settings (settings/override for append files) directory. For instance the web setup will automatically create such files in settings/override/ for you with all the personal settings.

site.ini.php

<?php /*
[DatabaseSettings]
Server=mydbserver
User=myuser
Password=mypassword
*/ ?>

Exponential copyright © copyright � 1998-2025 Exponential