Docs Security Guide

Security Guide

Must-have and recommended security features for hardening your CAS deployment at the application and server level.

Application-Level Security (Must Have)

1. HTTPS Enforcement

All CAS traffic must use HTTPS. Configure your web server to redirect all HTTP requests to HTTPS. Never transmit authentication tokens over unencrypted connections.

# Nginx — force HTTPS redirect
server {
    listen 80;
    server_name cas.yourdomain.com;
    return 301 https://$host$request_uri;
}

2. CSRF Protection

CAS uses Laravel's built-in CSRF protection. All POST/PUT/DELETE requests require a valid CSRF token. Client applications should include the CSRF token in form submissions.

3. Two-Factor Authentication (2FA)

Enable 2FA for all admin accounts at minimum. CAS supports TOTP-based 2FA via Google Authenticator, Authy, and similar apps.

Critical: Admin accounts without 2FA are a high-risk security vulnerability. Always enforce 2FA for administrators.

4. HMAC Request Signing

All API requests between client systems and CAS are signed using HMAC-SHA256. This prevents request tampering and replay attacks. Each client system has a unique API secret used for signing.

5. JWT Token Security

SSO tokens are JWT-based with short expiry times. Best practices:

  • Tokens expire after a configurable time (default: 1 hour)
  • Tokens are signed with a secure secret key
  • Always validate tokens server-side, never trust client-side validation alone
  • Rotate JWT secrets periodically

6. IP Whitelist

CAS provides an IP whitelist feature to restrict access to known, trusted IP addresses. When the whitelist is empty, all IPs are allowed. Once entries are added, only whitelisted IPs can access protected routes.

  • Add production server IPs to the whitelist
  • Supports CIDR notation for IP ranges
  • Admin routes are always accessible (to prevent lockout)

7. Rate Limiting

API routes are rate-limited to prevent brute force and denial-of-service attacks. Default limits are configured in Laravel's throttle middleware. Customize limits based on your traffic requirements.

Server-Level Security (Recommended)

1. Firewall Configuration

Configure UFW or iptables to only allow necessary ports:

# Allow only SSH, HTTP, HTTPS
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

2. SSH Hardening

  • Disable root login via SSH
  • Use SSH key-based authentication instead of passwords
  • Change the default SSH port (optional)
  • Use fail2ban to block brute force SSH attempts

3. Docker Security

If running CAS in Docker (recommended deployment):

  • Use non-root users inside containers
  • Keep Docker and images updated regularly
  • Limit container resource usage (CPU, memory)
  • Don't expose database ports to the public network

4. Database Security

  • Use strong, unique passwords for database users
  • Don't expose MySQL/PostgreSQL ports publicly (keep on internal Docker network)
  • Enable SSL for database connections in production
  • Perform regular database backups

5. SSL/TLS Configuration

Use strong TLS configuration:

  • Use TLS 1.2+ only (disable TLS 1.0 and 1.1)
  • Use Let's Encrypt or a trusted CA for certificates
  • Enable HSTS headers
  • Automate certificate renewal

6. Regular Updates

Keep all components updated:

  • Operating system packages (apt update && apt upgrade)
  • Docker images
  • PHP and Laravel dependencies (composer update)
  • Node.js packages if applicable

Audit & Monitoring

CAS includes a comprehensive audit log system. Administrators should regularly review:

  • Login attempts — Monitor for unusual login patterns or failed login spikes
  • IP whitelist violations — Check for unauthorized IP access attempts
  • Token generation events — Track SSO token creation and usage
  • Admin actions — User creation, role changes, system configuration modifications

Access audit logs from the Admin Panel under Audit Logs. Set up routine weekly reviews as a security best practice.

Potential Breaches & Incident Response

If you suspect a security breach:

  1. Immediately rotate the JWT secret and all client system API secrets
  2. Review audit logs to identify the scope and source of the breach
  3. Revoke all active sessions by clearing the session store
  4. Enable IP whitelist to restrict access to known IPs only
  5. Force password resets for all affected user accounts
  6. Contact the development team at innovativesolution.com.np for assistance
User Guide Troubleshooting