# ðŸ‘Ū‍♀ïļ Security

# Security Checklist

Must constantly double-checking the following:

# Encoded IDs

✅ Public IDs are always encoded to avoid any attempt of content enumeration attack.

While the data is stored in database rows indexed with integer ids, Chevereto handles these on public as encoded identifiers. Similar to how YouTube encode their video IDs. This is made to avoid enumeration of content based on incremental identifiers (retrieve N content by doing +1 on the identifier).

# Encoding and decoding IDs

✅ Public IDs are unique and vary from each different installation.

On installation Chevereto creates a random generated crypt_salt which is used by the system to encode/decode these identifiers. This allows to convert the numeric ids stored in the database to alphanumeric ids unique to your installation.

# Making encoded IDs larger

✅ The length of encoded IDs can be customized.

Larger encoded IDs will be always better for preserving the privacy of the uploaded content. Two alternatives to achieve larger encoded IDs:

# Altering id_padding setting

ðŸ’Ą This method will affect previous generated links. Use it only if is safe to edit the IDs.

Go to the database, find the chv_settings table and edit the setting_name identified as id_padding. (zero by default).

Entering an integer value like 5000 will instruct the system to generate IDs using this base padding.

# Altering chv_images table

ðŸ’Ą This method won't affect any previous generated links.

Go to the database, find the chv_images table and change the AUTOINCREMENT to the ID padding you want to use.

# CSRF protection

✅ Built-in CSRF protection.

Cross-site request forgery (CSRF (opens new window)) is a type of exploit that is used to fool website's origin requests by transmitting instructions from a remote website without the user's consent, for example trigger a delete content request without the user consent or willing.

The CSRF protection is based in the usage of a request token, which is set by session when the website loads and is asked when sub-sequential request are made.

# Cryptography

✅ BCrypt passwords.

Chevereto uses BCrypt (opens new window) cryptography to store passwords and cookie login entries.

# reCAPTCHA

✅ Built-in reCAPTCHA support.

Chevereto includes support for reCAPTCHA (opens new window) which helps to prevent bots from signing up and try to brute-force a user password.

# Daily Invalid Requests

✅ Too many invalid request forbid access to the system.

An invalid request is when a user enters a bad password or the CSRF token doesn't match. Each time an invalid request is triggered the system stores the IP and the given action that triggers that invalid request.

There is a hard-coded setting in the system that controls the limit of allowed invalid requests per day and when a user reaches this limit the system won't allow requests from that in IP in a period of 24 hours.

# Flood Protection

✅ Control how much content/time can be added by users.

Avoid resource hungry users by configuring Flood Protection (opens new window). This enables to control how much they can upload based on configurable time settings.