Skip to main content

Security

Security Considerations

To ensure your myDBR installation remains secure, we recommend implementing the following best practices:

  • Change the default administrator credentials: Replace the default 'dba' account with a unique username and a strong password.
  • Use HTTPS: Encrypt all traffic between the server and clients.
  • Define a unique URL hash seed: Configure this in Environment settingsAuthentication / security.
  • Enforce strong password policies: Configure rules in Environment settingsPassword settings when using myDBR authentication.
  • Enable Two-Factor Authentication (2FA): Provide an additional layer of security for user accounts.
  • Maintain server updates: Keep the operating system, web server, PHP, and myDBR updated.
  • Restrict administrative PHP access: Limit the ability of administrators to execute PHP or access the filesystem if necessary.
  • Mitigate XSS risks: Be cautious when handling external HTML or JavaScript content.

Change the Default Administrative Username

Upon installation, myDBR creates a default administrator account with the username 'dba'. You should immediately create a new administrator account with a secure password and disable the original 'dba' account. This step is critical regardless of your chosen authentication method, as local logins remain accessible for administrative recovery.

Use HTTPS

Configuring your server to use HTTPS ensures that all communication, including credentials, reports, and session data, is encrypted and protected from interception.

URL Hash Seed

All myDBR reports are accessible via unique URLs. To ensure URLs are generated only by trusted sources, a hash value is appended to each URL. This hash is calculated based on the URL parameters and an installation-specific "URL hash seed." To ensure your hash values are unique, use the Randomize button for the URL hash seed in Environment settingsAuthentication / security.

Enforce Password Policies

Strong password policies make user accounts significantly harder to compromise. For more information, see the password policy article on Wikipedia.

Keep the Server Environment Updated

Ensure that your entire server stack remains up-to-date. This includes the operating system, web server (e.g., Apache, Nginx), PHP, and the myDBR application itself. Regular updates mitigate known security vulnerabilities.

Restrict Administrative PHP Access

By default, myDBR provides administrators with the ability to execute PHP for creating extensions and custom commands. While powerful, this access can also allow administrators to interact with the server's filesystem.

To limit this capability, particularly for administrators who do not require server-level access, add the following configuration to user/extension_init.php:

$mydbr_defaults['admin_restrictions']['can_access_php'] = false;

Disabling this setting prevents administrative access to PHP files within the Server side files functionality and stops administrators from using PHP-based command extensions.

Mitigating XSS Risks

Cross-site scripting (XSS) occurs when an attacker injects malicious scripts into a website. In the context of myDBR, this could involve an attacker injecting JavaScript that is subsequently executed by an administrator with high-level privileges.

While myDBR automatically sanitizes user input for harmful content, administrators must be mindful of data sources. If a report incorporates external HTML/JavaScript or imports data from third-party sites, that content may contain malicious code. By default, myDBR encodes data for safety; however, when using dbr.html, dbr.html:, or dbr.javascript, ensure that the content is trusted (e.g., your own code). For untrusted external content, use dbr.html.ext or dbr.html.ext:. These commands automatically clean the content to remove potential threats.

myDBR utilizes the htmLawed library to sanitize external HTML when using dbr.html.ext or dbr.html.ext:. By default, the htmLawed "safe" configuration is used. You can customize these settings in $mydbr_defaults['xss']['htmLawed_options']. For example, to exclude specific HTML elements, you could use:

$mydbr_defaults['xss']['htmLawed_options']['elements'] = '* -applet -audio -canvas -dialog -embed -iframe -object -script -video -img -a';
© 2007 - 2026 myDBR.com. All Rights Reserved.