Security is very important to Concrete CMS.

As a developer who uses Concrete CMS to build web applications, you'll need to ensure that your code is secure. Fortunately, Concrete CMS contains a number of helper libraries and functions to ensure writing secure code is possible and easy to do.

• Protect Against Cross-Site Request Forgery with the Token Validation Library.
• Protect Against Cross-Site-Scripting with Output Filtering and Sanitization.
• Use Concrete CMS API or doctrine placeholders to guard against SQL injection.
• Validate file uploads.
• Sanitize user inputs.
• Encrypt sensitive data.
• Use Anti-spam & Captcha in public forms.

• ✅ Use Concrete’s Security, Request, and Database classes for all input and data handling.
• ✅ Escape all output with h() or $this->app->make('helper/text')->entities().
• ✅ Always implement CSRF tokens in custom forms.
• ❌ Never access $_POST or $_GET directly—use Concrete’s request objects.

• ❌ Never commit sensitive files like application/config/database.php to version control.
• ✅ Use environment variables or local config overrides for credentials.

• ❌ Never store backup files in public or any web-accessible directory.
• ❌ Avoid backup naming like index.php.bak or index.php.20250625—these may be executed if accessed.
  • ✅ Prefer names like 20250625_index.php to prevent PHP execution.
• ✅ Store all backups outside the document root, ideally in a dedicated backups directory.

• ✅ Set secure permissions: Files 644, Directories 755.
• ❌ Never use 777 permissions or run PHP/Apache as root.
• ✅ Ensure the web server runs as a restricted user (e.g., apache, nginx).

• ❌ Never enable display_errors in production environments.
• ✅ Log errors to a secure, non-public directory outside the web root.

• ❌ Never use production databases for local development.
• ✅ Use local databases with anonymized or dummy data.
• ✅ Store local DB credentials in files like config/valet.database.php (excluded from version control).

• ❌ Avoid installing unnecessary PHP modules—minimize the attack surface.
• ✅ Regularly update your local environment and dependencies.

Tip: Review Concrete CMS’s official security documentation for more best practices.