222 lines
6.8 KiB
Markdown
222 lines
6.8 KiB
Markdown
# Security Changelog
|
|
|
|
This page documents all security-related changes, fixes, and improvements to Core PHP Framework.
|
|
|
|
## 2026
|
|
|
|
### January 2026
|
|
|
|
#### Core MCP Package
|
|
|
|
**SQL Query Validation Improvements**
|
|
- **Type:** Security Enhancement
|
|
- **Severity:** High
|
|
- **Impact:** Strengthened SQL injection prevention
|
|
- **Changes:**
|
|
- Replaced permissive `.+` regex patterns with restrictive character class validation
|
|
- Added explicit WHERE clause structure validation
|
|
- Improved pattern detection for SQL injection attempts
|
|
- **Commit:** [View changes](/packages/core-mcp/changelog/2026/jan/security)
|
|
|
|
**Database Connection Validation**
|
|
- **Type:** Security Fix
|
|
- **Severity:** Critical
|
|
- **Impact:** Prevents silent fallback to default database connection
|
|
- **Changes:**
|
|
- Added exception throwing for invalid database connections
|
|
- Prevents accidental exposure of production data
|
|
- Enforces explicit connection configuration
|
|
- **Commit:** [View changes](/packages/core-mcp/changelog/2026/jan/security)
|
|
|
|
#### Core API Package
|
|
|
|
**API Key Secure Hashing**
|
|
- **Type:** Security Feature
|
|
- **Severity:** High
|
|
- **Impact:** API keys now hashed with bcrypt, never stored in plaintext
|
|
- **Changes:**
|
|
- Bcrypt hashing for all API keys
|
|
- Secure key rotation with grace period
|
|
- Plaintext key only shown once at creation
|
|
- **Commit:** [View changes](/packages/core-api/changelog/2026/jan/features)
|
|
|
|
**Webhook Signature Verification**
|
|
- **Type:** Security Feature
|
|
- **Severity:** High
|
|
- **Impact:** HMAC-SHA256 signatures prevent webhook tampering
|
|
- **Changes:**
|
|
- Added HMAC-SHA256 signature generation
|
|
- Timestamp-based replay attack prevention
|
|
- Configurable signature verification
|
|
- **Commit:** [View changes](/packages/core-api/changelog/2026/jan/features)
|
|
|
|
**Scope-Based Authorization**
|
|
- **Type:** Security Feature
|
|
- **Severity:** Medium
|
|
- **Impact:** Fine-grained API permissions
|
|
- **Changes:**
|
|
- Middleware-enforced scope checking
|
|
- Per-endpoint scope requirements
|
|
- Scope validation in requests
|
|
- **Commit:** [View changes](/packages/core-api/changelog/2026/jan/features)
|
|
|
|
#### Core PHP Package
|
|
|
|
**Security Headers Enhancement**
|
|
- **Type:** Security Feature
|
|
- **Severity:** Medium
|
|
- **Impact:** Comprehensive protection against common web attacks
|
|
- **Changes:**
|
|
- Content Security Policy (CSP) with nonce support
|
|
- HTTP Strict Transport Security (HSTS)
|
|
- X-Frame-Options, X-Content-Type-Options
|
|
- Referrer-Policy configuration
|
|
- **Commit:** [View changes](/packages/core-php/changelog/2026/jan/features)
|
|
|
|
**Action Gate System**
|
|
- **Type:** Security Feature
|
|
- **Severity:** Medium
|
|
- **Impact:** Request whitelisting for sensitive operations
|
|
- **Changes:**
|
|
- Training mode for learning valid requests
|
|
- Enforcement mode with blocking
|
|
- Audit logging for all requests
|
|
- **Commit:** [View changes](/packages/core-php/changelog/2026/jan/features)
|
|
|
|
**IP Blocklist Service**
|
|
- **Type:** Security Feature
|
|
- **Severity:** Low
|
|
- **Impact:** Automatic blocking of malicious IPs
|
|
- **Changes:**
|
|
- Temporary and permanent IP blocks
|
|
- Reason tracking and audit trail
|
|
- Automatic expiry support
|
|
- **Commit:** [View changes](/packages/core-php/changelog/2026/jan/features)
|
|
|
|
**GDPR-Compliant Activity Logging**
|
|
- **Type:** Privacy Enhancement
|
|
- **Severity:** Medium
|
|
- **Impact:** Activity logs respect privacy regulations
|
|
- **Changes:**
|
|
- IP address logging disabled by default
|
|
- Configurable retention periods
|
|
- Automatic anonymization support
|
|
- User data deletion on account closure
|
|
- **Commit:** [View changes](/packages/core-php/changelog/2026/jan/features)
|
|
|
|
**Referral Tracking IP Hashing**
|
|
- **Type:** Privacy Fix
|
|
- **Severity:** Medium
|
|
- **Impact:** IP addresses hashed in referral tracking
|
|
- **Changes:**
|
|
- SHA-256 hashing of IP addresses
|
|
- Cannot reverse to identify users
|
|
- GDPR compliance
|
|
- **Commit:** c8dfc2a
|
|
|
|
---
|
|
|
|
## Reporting Security Issues
|
|
|
|
If you discover a security vulnerability, please follow our [Responsible Disclosure](/security/responsible-disclosure) policy.
|
|
|
|
**Contact:** support@host.uk.com
|
|
|
|
## Security Update Policy
|
|
|
|
### Supported Versions
|
|
|
|
| Version | Supported |
|
|
| ------- | ------------------ |
|
|
| 1.x | :white_check_mark: |
|
|
| < 1.0 | :x: |
|
|
|
|
### Update Schedule
|
|
|
|
- **Critical vulnerabilities:** Patch within 24-48 hours
|
|
- **High severity:** Patch within 7 days
|
|
- **Medium severity:** Patch within 30 days
|
|
- **Low severity:** Patch in next minor release
|
|
|
|
### Notification Channels
|
|
|
|
Security updates are announced via:
|
|
- GitHub Security Advisories
|
|
- Release notes
|
|
- Email to registered users (critical only)
|
|
|
|
## Security Best Practices
|
|
|
|
### For Users
|
|
|
|
1. **Keep Updated** - Always use the latest stable release
|
|
2. **Review Configurations** - Audit security settings regularly
|
|
3. **Monitor Logs** - Check activity logs for suspicious behavior
|
|
4. **Use HTTPS** - Always enforce HTTPS in production
|
|
5. **Rotate Keys** - Regularly rotate API keys and secrets
|
|
|
|
### For Contributors
|
|
|
|
1. **Security-First** - Consider security implications of all changes
|
|
2. **Input Validation** - Validate and sanitize all user input
|
|
3. **Output Encoding** - Properly encode output to prevent XSS
|
|
4. **Parameterized Queries** - Always use Eloquent or parameterized queries
|
|
5. **Authorization Checks** - Verify permissions before actions
|
|
|
|
## Security Features Summary
|
|
|
|
### Authentication & Authorization
|
|
- Bcrypt password hashing with automatic rehashing
|
|
- Two-factor authentication (TOTP)
|
|
- Session security (secure cookies, HTTP-only)
|
|
- API key authentication with bcrypt hashing
|
|
- Scope-based API permissions
|
|
- Policy-based authorization
|
|
|
|
### Data Protection
|
|
- Multi-tenant workspace isolation
|
|
- Namespace-based resource boundaries
|
|
- Automatic query scoping
|
|
- Workspace context validation
|
|
- Cache isolation per workspace
|
|
|
|
### Input/Output Security
|
|
- Comprehensive input sanitization
|
|
- XSS prevention (Blade auto-escaping)
|
|
- SQL injection prevention (Eloquent ORM)
|
|
- CSRF protection (Laravel default)
|
|
- Mass assignment protection
|
|
|
|
### API Security
|
|
- Rate limiting per tier
|
|
- Webhook signature verification (HMAC-SHA256)
|
|
- Scope enforcement
|
|
- API key rotation
|
|
- Usage tracking and alerts
|
|
|
|
### Infrastructure Security
|
|
- Security headers (CSP, HSTS, etc.)
|
|
- IP blocklist
|
|
- Action gate (request whitelisting)
|
|
- SQL query validation
|
|
- Email validation (disposable detection)
|
|
|
|
### Compliance
|
|
- Activity logging with audit trails
|
|
- GDPR-compliant data handling
|
|
- Configurable data retention
|
|
- Automatic data anonymization
|
|
- Right to be forgotten support
|
|
|
|
## Historical Vulnerabilities
|
|
|
|
No vulnerabilities have been publicly disclosed for Core PHP Framework.
|
|
|
|
---
|
|
|
|
**Last Updated:** January 2026
|
|
|
|
For the latest security information, always refer to:
|
|
- [Security Overview](/security/overview)
|
|
- [GitHub Security Advisories](https://github.com/host-uk/core-php/security/advisories)
|
|
- [Responsible Disclosure Policy](/security/responsible-disclosure)
|