This article aims at giving security hints for RosarioSIS.
PostgreSQL database
Instead of creating the RosarioSIS database with the default postgres user, first create a user that can login and create database. Then login with that user and create the RosarioSIS database so that the RosarioSIS user is its owner. So in case your RosarioSIS user password is discovered, the whole PostgreSQL server is not compromised.
If you have succesfully installed RosarioSIS on your production server:
Version number
Here is the list of files which contain the version number of RosarioSIS, in case you would like to hide it:
Be careful when you update RosarioSIS. If you overwrite the files, the above files will be accessible again!
Password
Change the default usernames and passwords (admin, teacher, student, parent) and adopt a password policy.
php.ini
Here are some php.ini directives that can be modified for session security:
; session.use_strict_mode specifies whether the module will use strict session id mode. ; If this mode is enabled, the module does not accept uninitialized session ID. ; If uninitialized session ID is sent from browser, new session ID is sent to browser. ; Applications are protected from session fixation via session adoption with strict mode. ; Defaults to 0 (disabled). ; http://php.net/manual/en/session.configuration.php#ini.session.use-strict-mode session.use_strict_mode = 1 ; http://php.net/session.hash-function session.hash_function = sha256
Resources
Here is a good set of Apache rules to block attacks: 6G Blacklist 2019
WebSecTools, protect your website.
Mozilla Observatory, test your server security.