How is EzyPlatform being secure?

Updated at 1709036160000
Security is one of the most crucial factors for EzyPlatform, and Young Monkeys pays special attention to it. Here are the security features that we have implemented for EzyPlatform.

Using a Highly Secure Programming Language

The choice of Java as the primary programming language for EzyPlatform is not arbitrary. Java is one of the most popular open-source languages globally and has relatively high security. You can refer to this article for more information.

Java is a compiled language, requiring developers to be more careful during plugin creation, avoiding basic syntax or data type-related errors. The trade-off is that each update may necessitate restarting EzyPlatform. However, we want users to have sufficient time for consideration and testing before applying any plugins.

Separating Admin and Website Interfaces

Unlike WordPress, where the admin and user interfaces are combined, EzyPlatform separates the admin and website into two distinct pages. This mitigates the risk of hackers exploiting potential vulnerabilities related to authenticated API exposure, enhancing data protection.

To address this vulnerability, EzyPlatform has divided the admin and website interfaces, limiting communication between them. We also recommend configuring a load balancer to allow access to the admin page only from your organization's IP addresses for added security.

Using BCrypt for Password Encryption

BCrypt is the password hashing algorithm used to ensure that even we do not know the actual passwords used by users. While SHA256 or MD5 are decent hashing algorithms, BCrypt provides higher security. You can refer to this article for more details.

Utilizing Secret Keys for Encrypting Sensitive Information

EzyPlatform uses a secret key to encrypt sensitive information such as passwords, API keys, and client secrets. You can set up or modify this secret key by creating or changing a file in the settings/encryption-keys.txt directory or using the admin interface's change feature (Settings > Encryption). If deploying multiple EzyPlatforms sharing a common database for a single website or application, ensure that the secret key is identical across all EzyPlatforms.

Encrypting Access Tokens

Access tokens for both admin and web have the following structure: [Header][Body].

  1. Header: Encoded user id data.
  2. Body: Random data.

To launch an attack, a hacker would need to know the user id, secret key, and random data, making it nearly impossible to create a complete access token. Generating the random data alone requires testing billions of possibilities.

Strict URI Access Management

EzyPlatform utilizes the EzyHttp framework for the HTTP server, ensuring a strict management of URIs. Only registered URIs are added to the allowed access list when EzyPlatform starts up. This prevents unauthorized access to files within EzyPlatform. For example, if you have a file named hack.txt in the EzyPlatform directory, you won't be able to access this file via the path: {website path}/hack.txt because this file is not registered and not recognized by EzyHttp.

Strict File Upload Management

By default, neither the web nor socket allows file uploads to the server. Only administrators are permitted to upload files. You can configure the system to allow users to upload files, but you can also specify the maximum file size and types allowed for upload to prevent users from uploading malicious files to attack your server.

Uploaded files are checked for their content to determine the file type, rather than relying solely on file extensions. For example, if a file named hack.exe is renamed with the extension hack.png to upload to the server, it will be blocked if you only allow users to upload image files.

Additionally, EzyPlatform's use of Java ensures that uploaded files are not executed, similar to PHP security measures.

Allowing Security-Enhancing Plugins

EzyPlatform predominantly utilizes technologies within the Young Monkeys framework ecosystem, allowing developers to deeply intervene in the request-receiving, processing, and sending process. They can implement ideas for checking user-sent data, blocking IPs with excessive requests, or only permitting certain IPs to access specific paths. One such plugin we've created is EzyDefence.

Thoroughly Reviewing Plugins Before Marketplace Submission

All plugins undergo meticulous scrutiny before being submitted to the marketplace. This ensures that developers do not overlook essential data checks and prevents malicious behaviors toward users.

Java provides sufficient tools to decompile source code, allowing you to trust that we can execute this process diligently.