Github Repo Security Advice

We know that many of you publish their projects on Github, Bitbucket or other Git repository platforms — which is great! Unfortunately it happens too often, that sensitive data ends up in those public repositories and thus becomes public as well. It’s not just a Kirby issue. You can find all sorts of horrible database connection credentials and API keys all over Github. It’s not even something to be ashamed of. It’s often really hard to think of all the places where sensitive data could be stored and then excluding it. But it’s really really important to do so.

That’s why we wanted to send you an extra reminder to check your repositories and remove everything that shouldn’t be stored in there. If you find something, you should also remove the history for it from your repository in order to completely get rid of traces of such data. Github has a great guide for it: https://help.github.com/articles/remove-sensitive-data/

In our starterkits, we include a default gitignore file, which should skip all the critical parts. But please still check for the following:

• Never ever include any account file in /site/accounts
• Don’t include your /site/config/config.php
• Don’t include cache files in /site/cache

Suggestions for additional checks:

• check your htaccess for critical server setup rules before you include it.
• do you store any sensitive data in your content files? if yes, please exclude them.
• think about places where API keys for 3rd party services could be stored and exclude them
• do you have additional database credentials stored somewhere?
• do you store any server credentials with your projects? (hint: never do that)

If you want to know more about how to make your Kirby installation more secure, we have a guide for you: https://getkirby.com/docs/developer-guide/security

We hope that such posts and guides help to keep you and your sites from unnecessary troubles. Let us know if you have additional suggestions, what other users should keep in mind.

why not the caching files?, its that a security reason?

It’s not a highly critical advice in terms of security, but cache files should be ignored because they will be different on your local machine and on your server (urls and stuff) By excluding them, you avoid possible issues.

Okay i understand, thanks Bastian !

It might also make sense to store sensitive data in environment variables, so that anything private is in one place (an .env file) that can easily be excluded in .gitignore, phpdotenv to the help.

Sometimes you need to share your config.php too. One possible solution could be to split it between sensitive and not sensitive information.

<?php // site/config/config.php

require_once __DIR__ . DS . 'private.php';

// Non-sensitive config
// ...

# .gitignore
site/config/private.php

Some projects also recommend creating and committing a .dist file for excluded config files, so you could create a file like this:

<?php // site/config/private.php.dist

// Required configuration keys
// Copy private.php.dist to private.php and set the correct values

c::set('license', '');
c::set('other.stuff', '');

Edit: or you could gitignore the main config.php, and add (and maintain) a config.php.dist. Maybe that’s easier.

you are a genius

It’s a common practice in several frameworks and software projects, so the genius is not mine.

I add a .env file then include it on the site.php file (which Kirby loads automatically).

<?php // .env

// Site
$_ENV['SITE_URL']         = false;
$_ENV['SITE_PODCAST_URL'] = '';
$_ENV['SITE_SSL']         = false;
$_ENV['SITE_DEBUG']       = false;
$_ENV['SITE_ENV']         = 'local';
$_ENV['SITE_CACHEBUSTER'] = false;

$_ENV['CACHE']            = false;
$_ENV['CACHE_DRIVER']     = 'file';
$_ENV['CACHE_AUTOUPDATE'] = false;
$_ENV['CACHE_OPTIONS']    = null;

$_ENV['GOOGLE_ANALYTICS'] = '';

$_ENV['ALGOLIA_INDEX']     = '';
$_ENV['ALGOLIA_INDEX_TMP'] = '';
$_ENV['ALGOLIA_ID']        = '';
$_ENV['ALGOLIA_KIRBY']     = '';
$_ENV['ALGOLIA_KEY']       = '';

$_ENV['MAILGUN_KEY']    = '';
$_ENV['MAILGUN_DOMAIN'] = '';

$_ENV['MAILCHIMP_KEY']  = '';
$_ENV['MAILCHIMP_LIST'] = '';

$_ENV['AWS_ACCESS_KEY_ID']     = '';
$_ENV['AWS_SECRET_ACCESS_KEY'] = '';
$_ENV['S3_BUCKET']             = '';

$_ENV['KIRBY_LICENSE'] = '';

The above is only a sample with some defaults. It’s ignored by Git.

<?php // site.php

require(__DIR__ . DS . '.env');

$kirby = kirby();

// ...

Then my config.php file looks like:

<?php

c::set('url', $_ENV['SITE_URL']);

// ...

Since I use Laravel Forge for deployment, I only need to add the .env file once then I can easily edit it from the dashboard.

This is incredibly useful information. Could I suggest, that this is valuable enough to be added to the official docs?

I was just about to say the same thing. It’s so good that it could be a part of the docs. Maybe in the security page?

Not for security concerns, but is there a reason for keeping the thumbs folder in a repo? They are generated, kind of like the cache.

The thumbs folder used to be in the .gitignore …, if it is not anymore, it should be.

Whats about to add:

/site/cache
/site/config

to .gitignore at:

https://github.com/getkirby/starterkit/blob/master/.gitignore
and at:
https://github.com/getkirby/langkit/blob/master/.gitignore
and at:
https://github.com/getkirby/plainkit/blob/master/.gitignore

and of course in the ZIP file at:
http://download.getkirby.com/

I don’t know, whether someone needs this file on their webserver, but this file is very small and very usefull for the security on every webserver, if (may be much later !!!) someone wants to publish their projects on Github, Bitbucket or other Git repository platforms, regardless of whether they remember this posts or not!

If the webmasters want, they can change every line, if they know what they do!

But this addition to these files would be safe I think.

I’ve created PR on github for each kit to add cache and config in the gitignore file.