# Security Notes / Hardening Checklist

## 1) Remove or block the installer

After installation, **remove** `install/` or block it at the web server/WAF level.

Keeping the installer accessible increases risk (reinstall/overwrite, information disclosure).

## 2) Database credentials & secrets

- DB credentials are stored in `app/Config/Database.php` by the installer.
- License values are written into `.env` by the installer (`PURCHASE_CODE`, `LICENSE_KEY`).

Recommendations:
- Treat these as secrets (limit file permissions; keep out of public repos).
- Rotate credentials if they were ever exposed.
- Consider moving credentials to environment variables (platform secret store) and reading them from config.

## 3) Writable directories

Ensure:
- `writable/` is not publicly accessible (it ships with deny rules).
- Upload directories allow writing but do **not** allow executing scripts.
  - If you’re on Apache, consider enforcing `php_admin_flag engine off` or equivalent for `uploads/`.

## 4) Protect cron endpoints

Cron URLs are public GET endpoints:
- `/cron/update-feeds`
- `/cron/update-sitemap`
- `/cron/check-scheduled-posts`

Recommendations:
- Allow-list the scheduler IP(s) (hosting cron, server IP) at the WAF/firewall.
- Or add a secret token gate (if you choose to modify code).

## 5) Enforce HTTPS correctly

The root `.htaccess` forces HTTPS.

If you terminate TLS at a proxy:
- Ensure HTTPS detection is correct to prevent redirect loops.
- Prefer HSTS once HTTPS is stable.

## 6) Minimum file permissions (guideline)

Typical safe baseline (depends on hosting):
- Files: `0644`
- Directories: `0755`
- `.env`: readable by the web user, not world-writable

Avoid `0777` except as a temporary diagnostic step.