This guide is based on recommendations for deploying Kohana to production: http://docs.kohanaphp.com/installation/deployment
- Set your encryption key
- Edit application/config/encryption.php and change the following line:
For best security, your encryption key should be at least 16 character long and contain letters, numbers, and symbols.Code Block $config['default']['key'] = 'USHAHIDI-INSECURE';
(Do not use a hash as your key. This significantly lowers encryption entropy.)
- Edit application/config/encryption.php and change the following line:
Edit application/config/cookie.php and change the following line to your domain name (without the www):
Code Block
$config['domain'] = '';
Example:
Code Block $config['domain'] = 'mymap.com';
- Enable HTTPS / SSL
- Purchase a valid SSL certificate (many hosting companies can do this for you or try a major provide like verisign.com)
- You need a valid certificate, not a self-signed cert or your users will get a big scary warning the first time they access your site.
- You need a valid certificate, not a self-signed cert or your users will get a big scary warning the first time they access your site.
- Install the SSL certificate on your server (again - many hosting companies can do this for you)
There are many guides online for how to install SSL certificates, and companies that sell certificates often provide install instructions. Set site protocol to https
Edit application/config/config.php and change the following line:Code Block $config['site_protocol'] = 'http';
to
Code Block $config['site_protocol'] = 'https';
Set SECURE flag on cookies - this restricts cookies to only be accessed over SSL.
Edit application/config/cookie.php and change the following line:Code Block $config['secure'] = FALSE;
to
Code Block $config['secure'] = TRUE;
- Purchase a valid SSL certificate (many hosting companies can do this for you or try a major provide like verisign.com)
- Delete the installer
- The installer is a potential security vulnerability.
- While we try our best to make sure it can't be exploited, the installer should be deleted once you're deployment is up and running
- Delete the entire installer/ directory and its contents.
Before you install
- Change the auth salt pattern (requires version 2.5+)
WARNING: ONLY DO THIS ON A NEW INSTALLATION. Doing this on an existing installation will prevent all existing users from logging in.Set your encryption key Since Ushahidi 2.5 this is done automatically in the installerEdit application/config/
encryption.php and change the following line
:
Code Block
$config['
default']['key'] = '
USHAHIDI-INSECURE';
Your encryption key should be at least 16 character long and contain letters, numbers, and symbols.
(Do not use a hash as your key. This significantly lowers encryption entropy.)