Security Configuration Guide for Botble CMS

Quick Setup Guide (For Website Administrators)

This guide helps you secure your Botble CMS website by configuring proper security settings.

Using the Admin Panel (Recommended)

1. Navigate to Security Settings

   • Log in to your Admin Panel
   • Go to Settings → Platform Administration → Security Settings
   • Or directly visit: /admin/system/security

2. Check Your Security Status

   • The page will show if your security settings are properly configured
   • If you see warnings, follow the instructions on the page

Manual Configuration (Alternative Method)

If you prefer to configure manually or the admin panel is not accessible:

Step 1: Open Your Configuration File

1. Locate the .env file in your website's root directory
2. Open it with any text editor (Notepad, TextEdit, etc.)

Step 2: Add Security Settings

Copy and paste these lines into your .env file:

# Cookie Security Settings (REQUIRED)
SESSION_HTTP_ONLY=true

# Additional Security Headers (RECOMMENDED)
ENABLE_HTTP_SECURITY_HEADERS=true

# For HTTPS websites only
SESSION_SECURE_COOKIE=false  # Change to true if using HTTPS

Step 3: Save and Apply Changes

1. Save the .env file
2. Go to Admin Panel → Platform Administration → Cache Management
3. Click "Clear all caches"

What These Settings Do

Essential Security Settings

• SESSION_HTTP_ONLY=true - Protects your website from certain hacking attempts (XSS attacks)
• SESSION_SECURE_COOKIE=true - Use this only if your website has HTTPS/SSL certificate
• ENABLE_HTTP_SECURITY_HEADERS=true - Adds extra protection against common web attacks
• SESSION_SAME_SITE=lax - Already set by default in Laravel, prevents CSRF attacks

Testing Your Configuration

How to Check if Settings Are Working:

1. Open your website in Chrome or Firefox
2. Press F12 to open Developer Tools
3. Go to the "Application" or "Storage" tab
4. Click on "Cookies" on the left side
5. Find your website's cookies
6. Look for these checkmarks:
   • ✅ HttpOnly (should be checked)
   • ✅ Secure (should be checked if using HTTPS)

Troubleshooting

If Settings Don't Work:

1. Make sure you saved the .env file
2. Clear your browser cache (Ctrl+F5 or Cmd+Shift+R)
3. Clear website cache - In admin panel or ask developer to run php artisan config:clear
4. Check for typos - Settings must be exactly as shown above

Common Issues:

• Website not loading after changes: Set SESSION_SECURE_COOKIE=false if not using HTTPS
• Cookies still not secure: Make sure there are no duplicate settings in your .env file

For Production Websites

Recommended Production Settings:

# For live websites with HTTPS
SESSION_HTTP_ONLY=true
SESSION_SECURE_COOKIE=true
ENABLE_HTTP_SECURITY_HEADERS=true
FORCE_SCHEMA=https

Minimum Required Settings:

# Absolute minimum for security
SESSION_HTTP_ONLY=true
ENABLE_HTTP_SECURITY_HEADERS=true

Note: SESSION_SAME_SITE=lax is already the default in Laravel and doesn't need to be explicitly set unless you want a different value.

Technical Details (For Developers)

What This Configuration Fixes:

This resolves the security vulnerability: "The remote HTTP web server / application is missing to set the 'HttpOnly' cookie attribute"

Implementation Details:

• HttpSecurityHeaders Middleware: Located at platform/core/base/src/Http/Middleware/HttpSecurityHeaders.php
• SecuritySettingController: Located at platform/core/base/src/Http/Controllers/SecuritySettingController.php
• Registration: Automatically loaded via EventServiceProvider
• Configuration: Controlled by config('core.base.general.enable_http_security_headers')
• Admin Interface: Available at /admin/system/security

Security Headers Added:

• X-Content-Type-Options: nosniff
• X-Frame-Options: SAMEORIGIN
• X-XSS-Protection: 1; mode=block
• Referrer-Policy: strict-origin-when-cross-origin

Note About Cookie Types:

• Session/Auth Cookies: Protected with HttpOnly flag ✅
• XSRF-TOKEN: Disabled by default in Botble CMS (uses meta tag CSRF tokens instead) ✅
• Cookie Consent Plugin: Cannot use HttpOnly (needs JavaScript access) - This is normal and safe

Allowing External Iframes in Editor

By default, Botble CMS restricts which external sites can be embedded via iframe in the editor content for security reasons. Only trusted sources like YouTube, Vimeo, Google Maps, Facebook, and TikTok are allowed.

Adding Custom Allowed Iframe URLs

If you need to embed content from other sites (e.g., form builders, widgets), you can whitelist them using the CMS_IFRAME_ALLOWED_URLS environment variable.

Step 1: Configure in .env File

Add the following line to your .env file:

# Allow single domain
CMS_IFRAME_ALLOWED_URLS=bb-form-builder.botble.com

# Allow multiple domains (separated by |)
CMS_IFRAME_ALLOWED_URLS=bb-form-builder.botble.com|forms.example.com|widgets.myservice.com

TIP

You can include or omit the protocol (http://, https://) and www. prefix - they will be automatically stripped. All of the following formats will work:

• bb-form-builder.botble.com
• https://bb-form-builder.botble.com
• http://www.bb-form-builder.botble.com

Step 2: Clear Cache

After updating the .env file:

1. Go to Admin Panel → Platform Administration → Cache Management
2. Click "Clear all caches"

Or run via command line:

php artisan config:clear

Default Allowed Iframe Sources

The following sources are allowed by default:

• youtube.com/embed
• player.vimeo.com
• maps.google.com
• www.google.com/maps
• drive.google.com
• www.facebook.com/plugins
• tiktok.com/embed
• Your application's own domain

Using Custom Regex Pattern (Advanced)

For advanced users who need more control, you can define a custom regex pattern:

CMS_IFRAME_FILTER_URL_REGEX=%^(https?:)?//(www\.)?(youtube\.com|vimeo\.com|example\.com)%

WARNING

When using CMS_IFRAME_FILTER_URL_REGEX, it completely overrides the default allowed URLs. Make sure to include all sources you want to allow.

Programmatic Configuration (For Developers)

You can also add allowed iframe URLs programmatically using the core_allowed_iframe_urls filter:

add_filter('core_allowed_iframe_urls', function (array $urls): array {
    return [
        ...$urls,
        'bb-form-builder.botble.com',
        'forms.example.com',
    ];
}, 20);

Support

If you need help with these settings, please:

1. Contact your website developer
2. Or check the Botble CMS documentation
3. Or post in the Botble CMS community forum