Security Best Practices

The Preads Platform is designed with security as a core pillar. This guide provides technical instructions for hardening your production installation and protecting your network's integrity.

🛡️ Production Checklist

Before proceeding to a live environment, ensure the following critical configurations are applied.

  • SSL/HTTPS: Mandatory for protecting user sessions and API credentials.
  • APP_DEBUG: Set to false in .env to prevent credential exposure in stack traces.
  • Encryption Key: Generate a unique APP_KEY using php artisan key:generate.
  • 2FA Mastery: Mandatory Two-Factor Authentication for all Admin accounts.
  • Credential Encryption: All API secrets must be stored using the internal encrypted setting helpers.

🔑 Identity & Access Management (IAM)

Two-Factor Authentication (2FA)

The platform includes an integrated TwoFactorAuthService that supports Time-based One-Time Passwords (TOTP) via apps like Google Authenticator or Authy.

  • Enforcement: Administrators can toggle mandatory 2FA in Settings → Security.
  • Recovery: High-entropy recovery codes are generated during the initial setup to prevent account lockout.

Brute-Force Protection

  • Account Lockout: After 5 failed attempts, accounts are automatically throttled for 30 minutes.
  • Security Logging: Every successful and failed login is recorded in the login_logs table, capturing the IP, Browser, and Geolocation metadata.

🔒 Data Protection

Encrypted Credential Storage

Sensitive platform secrets (e.g., SMTP passwords, Social Auth secrets, IP Intel keys) are never stored in plain text. Developers extending the platform must use the Setting model's encryption helpers.

// Storing a sensitive key
Setting::setEncrypted('mail_password', 'secret123', 'email');

// Retrieving and automatically decrypting
$password = Setting::getDecrypted('mail_password');

Database Hardening

  • Principle of Least Privilege: Your application's database user should only have SELECT, INSERT, UPDATE, and DELETE permissions. Avoid using root or GRANT ALL in production.
  • Prepared Statements: The platform uses Eloquent and Query Builder, which utilize prepared statements to provide native protection against SQL Injection.

🚦 Traffic & API Security

Rate Limiting (Throttling)

The platform implements granular rate limiting to defend against Denial of Service (DoS) and automated attacks.

  • Offers API: Throttled to 60 requests per minute via throttle:api.
  • Postback Receiver: Specialized throttling via throttle:postback to handle sudden bursts of traffic from 3rd party networks.

Input Validation

All incoming data is validated using Laravel FormRequests. This ensures that only sanitized, typed data enters your service layer.

// Example: Validating a deposit
$request->validate([
    'amount' => 'required|numeric|min:1|max:10000',
    'currency' => 'required|string|size:3'
]);

🌎 Web Server Hardening

Security Headers (Nginx Example)

Always configure your web server to send standard security headers to protect against Clickjacking and XSS.

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google.com/recaptcha/;";

File Permissions

Restrict access to sensitive internal files.

# Correct permissions for production
chmod 600 .env
chmod -R 755 bootstrap/cache storage
chown -R www-data:www-data .

Explore Database Schema →