🦄 Chevereto V4 users
Check the updated documentation at 👮♀️ Security (opens new window).
# Encoded IDs
Chevereto public IDs are encoded in order to avoid enumeration and get hard to guess URLs. All the users, images and albums ids are encoded for public use.
Public IDs are encoded to avoid any attempt of content enumeration attack.
# Encoding and decoding IDs
On installation, Chevereto creates a randomly generated
crypt_salt which is used by the
CHV\decodeID() functions. This allows to convert the numeric ids stored in the database to alphanumeric ids. Public ids vary from each different installation.
# Making encoded IDs larger
Larger encoded IDs will be always better for preserving the privacy of the uploaded content.
You have to alternatives to achieve larger encoded IDs:
This method will affect previously generated links. Use it only if is safe to edit the IDs.
Go to the database, find the
chv_settings table and edit the
setting_name identified as
id_padding. (zero by default).
Entering an integer value like
5000 will instruct the system to generate IDs using this base padding.
This method won't affect any previously generated links.
Go to the database, find the
chv_images table and change the
AUTOINCREMENT to the ID padding you want to use.
# CSRF protection
Cross-site request forgery (CSRF (opens new window)) is an exploit that is used to fool the websites by transmitting instructions from a remote website without the user's consent, for example trigger a delete content request.
The CSRF protection is based in the usage of a request token. The request token is set by session when the website loads and is asked when subsequential request are being made. If the token doesn't match the session it means that the request has not being initiated by the session and the system will return a 403 error.
Chevereto uses the BCrypt (opens new window) cryptography method to store the passwords and cookie login entries. Social login and the "Keep me logged in" feature uses a strong combination of BCrypt and random generated strings.
Chevereto includes support for reCAPTCHA (opens new window) which helps to prevent bots from signing up and try to brute-force an user password. In Dashboard > Settings > External services you can enable or disable reCAPTCHA and set how many invalid attempts triggers the reCAPTCHA.
# Invalid requests
An invalid request is when a user enters a bad password or the CSRF token doesn't match. Each time an invalid request is triggered the system stores the IP and the given action that triggers that invalid request.
There is a hard-coded setting in the system that controls the limit of allowed invalid requests per day and when an user reaches the
CHV_MAX_INVALID_REQUESTS_PER_DAY the system won't allow requests from that in IP in a period of 24 hours. The hard-coded value of this setting is 25 invalid requests and you can modify it in the