Passwords & Secrets Management
Sensitive data (passwords, SMTP credentials, API keys) is never stored in plain text.
Password Hashing
Pragma CMS uses PHP’s password_hash() with the PASSWORD_DEFAULT algorithm (currently Bcrypt or Argon2id), ensuring that even if the database is compromised, passwords remain unreadable.
Password Validation Rules:
The CMS enforces a strict policy: minimum 12 characters, including uppercase, lowercase, numbers, and special characters.
Secret Encryption (Libsodium)
For system secrets that need to be decrypted (like SMTP passwords), we use the SecurityManager based on libsodium (military-grade encryption).
- Master Key: A unique 32-byte binary key is generated and stored in
config_master_key.php. - Secret Box: Secrets are encrypted using
sodium_crypto_secretbox.
PHP
// Encrypting a secret (e.g., a service API key)
$encrypted = SecurityManager::encrypt_secret("my-api-key");
// Decrypting for use
$plain = SecurityManager::decrypt_secret($encrypted);Secure Sessions & Cookies
- HttpOnly: Cookies are inaccessible to JavaScript.
- Secure: Cookies are only sent over HTTPS.
- SameSite (Lax/Strict): Prevents cross-site tracking and enhances CSRF protection.