There have been XSS vulnerabilities reported in the past, have these been resolved in the v2.4.5 release?
I see I’m not the first to ask about security, but this particular concern was not raised in that thread.
Its unlikely. But anything is possible.
Id recommend putting it behind a cloudflare setup and creating a page rule for the admin.php or sitecake.php file and setting it to im under attack mode for that one page.
I went nearly a whole year without updating my installs and nothing happened and in one case i forgot to change the default PW and no one Pwned it so its unlikely a Sitecake install would be targeted by a sophisticated attacker. The sites are very simple and there’s not much data to steal.
Its Vulnerable to Brute-force. although i just told you a simple fix for that.
If you are really worried about XSS consider Deploying and Enforcing CSP,CORS and Subresource intregity on your resource files and web-server Respectively. if available use DNSSEC This wouldnt stop everything but it helps.
Use https ( https://letsencrypt.org hands out free ssl certs.)
and enforce all connections to use it.
There is also HSTS HTTP Strict Transport Security - Wikipedia
but please do some extensive research and get a grasp of how HSTS works before deploying it because you could end up with some adverse side effects if its done incorrectly.
With that being said, keep your OS packages and binaries up to date more hacks on websites and servers occur from the underlying software being vulnerable.
They also need to know the location of your sitecake.php or admin.php file. so if you dont include its location in the website code then it makes it harder to find. especially if you use some random file name.
Currently there are no known tools to Detect a Sitecake powered website although its as simple as writing a script to search for and other sc tags.
Hope that helps.
Have a good one.
Disclaimer: I am not responsible if anyone breaks there box
Thanks, Nick - this is quite helpful. Our client has extremely strict security requirements which surpass most banking sites’ security measures. The site will be subjected to penetration testing by a third party, so I need to be sure it’s buttoned up. I’ll check back with you if needed, but I think this is enough to point me in the right direction.