Last Updated: 3/8/2026

Security Best Practices

Overview

LinkAce is designed with security in mind, but proper configuration and deployment practices are essential for maintaining a secure installation.

Authentication & Authorization

Password Security

Strong Password Requirements:

• Minimum 8 characters (configurable)
• Mix of uppercase, lowercase, numbers, and symbols recommended
• Passwords are hashed using bcrypt with a cost factor of 10

Best Practices:

# In .env file
BCRYPT_ROUNDS=12  # Increase for stronger hashing (slower)

Multi-User Access Control

• Each user has isolated data by default
• Sharing is explicit (opt-in per link/list/tag)
• Admin users have full system access

User Roles:

• Regular User: Can manage own links, tags, lists
• Admin: Full system access, user management, system settings

API Token Security

Token Generation:

• Tokens are randomly generated (64 characters)
• Hashed before storage (SHA-256)
• Only shown once during creation

Best Practices:

1. Rotate tokens regularly: Delete and recreate periodically
2. Limit scope: Use separate tokens for different integrations
3. Monitor usage: Check last_used_at timestamp
4. Revoke unused tokens: Delete tokens no longer needed

Rate Limiting:

# In .env file
API_RATE_LIMIT=60  # Requests per minute per token

Single Sign-On (SSO)

LinkAce supports OAuth 2.0 and OIDC for enterprise authentication:

Supported Providers:

• Generic OAuth 2.0
• Generic OIDC (OpenID Connect)
• Custom providers (Keycloak, Authentik, etc.)

Configuration: See SSO Configuration Guide

Security Considerations:

• Validate redirect URIs
• Use HTTPS for OAuth callbacks
• Verify token signatures
• Implement token refresh

Application Security

HTTPS/TLS

Always use HTTPS in production:

# In .env file
APP_URL=https://your-domain.com
SESSION_SECURE_COOKIE=true

TLS Configuration:

• Use TLS 1.2 or higher
• Strong cipher suites only
• Enable HSTS (HTTP Strict Transport Security)

Nginx Example:

server {
    listen 443 ssl http2;
    server_name your-domain.com;
    
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    
    # ... rest of configuration
}

Session Security

Session Configuration:

# In .env file
SESSION_DRIVER=database  # Or redis for better security
SESSION_LIFETIME=120     # Minutes
SESSION_SECURE_COOKIE=true  # HTTPS only
SESSION_HTTP_ONLY=true      # Prevent JavaScript access
SESSION_SAME_SITE=lax       # CSRF protection

Session Timeout:

• Default: 120 minutes (2 hours)
• Adjust based on security requirements
• Shorter timeouts = better security, worse UX

CSRF Protection

LinkAce uses Laravel’s built-in CSRF protection:

• All POST, PUT, PATCH, DELETE requests require CSRF token
• Tokens are automatically included in forms
• API endpoints use token authentication instead

Verification:

// Automatically verified by middleware
// No additional configuration needed

XSS Prevention

Output Escaping:

• Blade templates escape by default: {{ $variable }}
• Raw output only when necessary: {!! $trustedHtml !!}
• User input is sanitized before storage

Content Security Policy (CSP):

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;

SQL Injection Prevention

• All database queries use Eloquent ORM or query builder
• Parameterized queries prevent SQL injection
• Never use raw queries with user input

Safe Query Example:

// Safe - uses parameter binding
$links = Link::where('user_id', $userId)->get();
 
// Unsafe - never do this
$links = DB::select("SELECT * FROM links WHERE user_id = $userId");

Infrastructure Security

Docker Security

Best Practices:

1. Run as non-root user:

   USER www-data

2. Limit container capabilities:

   # docker-compose.yml
   services:
     app:
       cap_drop:
         - ALL
       cap_add:
         - CHOWN
         - SETGID
         - SETUID

3. Use read-only root filesystem:

   services:
     app:
       read_only: true
       tmpfs:
         - /tmp
         - /var/run

4. Scan images for vulnerabilities:

   docker scan linkace/linkace:latest

Database Security

MySQL/PostgreSQL:

1. Use strong passwords:

   DB_PASSWORD=<strong-random-password>

2. Limit network access:

   • Bind to localhost only
   • Use firewall rules
   • Docker network isolation

3. Regular backups:

   • Automated daily backups
   • Test restore procedures
   • Encrypt backup files

4. Keep database updated:

   • Apply security patches promptly
   • Monitor security advisories

Redis Security

Configuration:

# redis.conf
requirepass your-strong-password
bind 127.0.0.1
protected-mode yes

Environment:

REDIS_PASSWORD=your-strong-password

File Upload Security

LinkAce doesn’t currently support direct file uploads, but if extended:

1. Validate file types: Whitelist allowed extensions
2. Scan for malware: Use antivirus scanning
3. Limit file size: Prevent DoS attacks
4. Store outside webroot: Serve via application
5. Randomize filenames: Prevent directory traversal

Environment Security

Environment Variables

Protect .env file:

# Set proper permissions
chmod 600 .env
chown www-data:www-data .env

Never commit .env to version control:

.env
.env.local
.env.*.local

Required Security Settings:

APP_ENV=production
APP_DEBUG=false
APP_KEY=<32-character-random-key>
APP_URL=https://your-domain.com
 
SESSION_SECURE_COOKIE=true
SESSION_HTTP_ONLY=true
SESSION_SAME_SITE=lax

Debug Mode

NEVER enable debug mode in production:

APP_DEBUG=false  # Always false in production

Debug mode exposes:

• Stack traces with code snippets
• Environment variables
• Database queries
• File paths

Application Key

Generate a strong application key:

php artisan key:generate

Rotate periodically:

• Invalidates all sessions
• Requires all users to log in again
• Recommended after security incidents

Monitoring & Logging

Security Logging

Log Important Events:

• Failed login attempts
• API token usage
• Admin actions
• Permission changes

Log Locations:

# Application logs
storage/logs/laravel.log
 
# Web server logs
/var/log/nginx/access.log
/var/log/nginx/error.log

Failed Login Monitoring

Laravel tracks failed login attempts:

• Rate limiting after multiple failures
• Temporary account lockout
• Log suspicious activity

Intrusion Detection

Recommended Tools:

• Fail2ban: Block IPs with repeated failed attempts
• OSSEC: Host-based intrusion detection
• ModSecurity: Web application firewall

Fail2ban Example:

# /etc/fail2ban/jail.local
[linkace]
enabled = true
port = http,https
filter = linkace
logpath = /var/www/linkace/storage/logs/laravel.log
maxretry = 5
bantime = 3600

Update & Patch Management

Keep LinkAce Updated

1. Subscribe to security announcements:

   • Watch GitHub repository
   • Follow @LinkAceApp 

2. Test updates in staging:

   • Never update production directly
   • Verify compatibility
   • Test critical workflows

3. Apply security patches promptly:

   • Review changelog
   • Backup before updating
   • Follow upgrade guide

Dependency Updates

Check for vulnerabilities:

# PHP dependencies
composer audit
 
# JavaScript dependencies
npm audit

Update dependencies:

composer update
npm update

Backup & Disaster Recovery

Backup Strategy

1. Automated daily backups
2. Offsite storage (S3, Backblaze B2)
3. Encrypted backups
4. Test restore procedures monthly

Configuration: See Application Backups

Disaster Recovery Plan

1. Document recovery procedures
2. Maintain offsite backups
3. Test recovery process
4. Define RTO/RPO targets

Security Checklist

Pre-Production

• HTTPS/TLS configured with valid certificate
• APP_DEBUG=false in .env
• APP_ENV=production in .env
• Strong APP_KEY generated
• Secure session configuration
• Strong database passwords
• Firewall configured
• .env file permissions set to 600
• File permissions properly set
• Security headers configured

Post-Production

• Automated backups configured
• Backup restore tested
• Monitoring and alerting set up
• Log rotation configured
• Update schedule established
• Security audit performed
• Intrusion detection configured
• Rate limiting tested

Ongoing Maintenance

• Review logs weekly
• Update dependencies monthly
• Test backups monthly
• Review user access quarterly
• Security audit annually
• Rotate API tokens annually

Reporting Security Issues

If you discover a security vulnerability:

1. DO NOT open a public GitHub issue
2. Email security details to the maintainer privately
3. See SECURITY.md  for contact info
4. Allow time for patch before public disclosure

Related Documentation

• SSO Configuration
• System Settings
• Application Backups
• User Management
• System API Tokens