Security and Troubleshooting

Security

We are working hard to ensure that myDBR is secure. myDBR is updated regularly and these updates, in addition to new features, may also contain improvements to security. Make also sure you read any possible security notes in release notes.

Security considerations

The things listed below ensure that your installation of myDBR is secure.

  • Change the default admin username/password
  • Use HTTPS whenever possible
  • Define a unique URL hash seed in Environment settingsAuthentication / security
  • Enforce password rules in Environment settingsPassword settings when using myDBR authentication
  • Keep your server up to date
  • Limiting admin rights to PHP

Change the default admin username

When myDBR is installed, an admin user is created under name 'dba' with a default password. It is recommended that you create another admin user with secure password and disable the original one. Note that this should be done regardless of authentication method in use as local logins are always accessible.

Use HTTPS whenever possible

When the server is configured to only accept connections over secure HTTPS connection, it will protect all information sent. This will include your authentication information, data and session information.

URL hash seed

All myDBR reports are accessible via an URL. In order to make sure that a URL is generated by a trusted source (myDBR itself or admin wish access to data required for URL generation) the URL is checked against a hash value which is added to the URL. The hash value is calculated from the URL parameters and with the URL hash seed which is installation specific. To make sure your reports have a unique hash value, click the Randomize-button in "URL hash seed" in Environment settingsAuthentication / security

Enforce password rules

Enforcing password rules makes passwords harder to guess. See the Wikipedia article about password policy.

Keep your server up to date

Make sure your server is up-to-date. This includes all software components in your server: operating system, server software (web server, PHP), myDBR itself.

Limiting admin's rights to PHP

By default, myDBR extends it's functionality by offering PHP access to admins. This included capability to create myDBR extensions, more customization for extending existing myDBR commands etc.

With PHP access admin can also access resources inside the server via PHP's filesystem services. If you offer myDBR admin access to the users that should not have access to server files, you can limit the PHP access by adding following line to user/defaults.php

$mydbr_defaults['admin_restrictions']['can_access_php'] = false;

The setting will prevent admin access to PHP files in 'Server side files'-functionality and prevents admins from using PHP commands to extend existing commands.