5.12. Security Checklist
The security checklist is an innovative feature that allows you to determine the strength of your current encoding settings. The security checklist can be accessed by clicking on the coloured gauge next to the status indicators on the status bar, or by choosing the Project/Security Checklist menu option.
As can be seen in the picture above, the different settings are separated into categories. For convenience, each category can be expanded or collapsed by clicking on the title. Each category also has its own indicator, which highlights the status of each setting belonging to that category. The colour of the indicator will change depending on how the settings have been configured. If an indicator is red, none of the settings have been configured yet. If it is orange, some settings have been configured, but others still need to be setup. If it is green, all settings in that category have been optimally configured.
Each individual setting also has its own indicator, which will display whether or not the setting has been configured or not. Each setting can be modified by clicking on the indicator, which will display the appropriate Project Settings page. If the setting has been correctly configured, the indicator will turn green. If the setting has been configured but requires additional setup, the indicator will turn orange. If the setting has not been configured yet, the indicator will turn red. For maximum protection, we recommend turning all of the indicators green.
A more visual indicator of the current security strength can be found on the application's status bar. The security gauge will fill up and turn from red to yellow to green depending on how many settings have been configured. This allows you to see at a glance if there are any outstanding additional security measures that can be implemented.
For this category, the project's target PHP version is checked. Because of the additional security features implemented in the Encoders for PHP 5.3 and above, this category can be completed by targeting a higher version of PHP. Targeting PHP 5.6 and above will give the highest security rating, while PHP 5.4 will give a slightly lower one. Targeting PHP 4, PHP 5 and PHP 5.3 will not give any change to the security rating.
For this category, the choice of dynamic and external keys is checked. External keys allow the protection key to be based on data that is external to the encoded files. This is particularly beneficial when access to the key is restricted, and not accessible to those who may have access to the encoded files. This could be the case if securing configuration files on a web server, where the key file may be accessible only to the root user.
Dynamic decoding is a technique whereby elements of the compiled code are decoded on a just in time (JIT) basis. Dynamic keys is a powerful technique whereby code is protected by encryption, and where the keys are not only external to the files, but existing only at runtime by being generated by the application program itself. This is controlled by annotations in the source code, and only known to the Encoder upon encoding. If the Encoder has detected the use of runtime keys during encoding, the security gauge will increase further. We STRONGLY recommend that you make use of the uniquely powerful and innovative dynamic keys technique in your code. Please read about Dynamic Keys for more information.
For this category, the project's restriction settings are checked. This category can be completed by choosing to disallow auto-prepend and auto-append, and by specifying a required include key. For more information about these settings, please read about Restriction Settings
For this category, the project's obfuscation settings are checked. This category can be completed by obfuscating class names, method names, function names and local variables. For more information about these settings, please read about Obfuscation Settings
For this category, the project's licensing settings are checked. This category can be completed by specifying that encoded files require a license. For more information about these settings, please read about License Creation
For this category, the Encoder's version is checked. This category can be completed by ensuring that your Encoder is kept up to date. When this icon turns red, it is recommended to obtain the updated version of the Encoder. In some cases an update may be available free of charge as a minor upgrade from the My Account section of our website, or otherwise by purchasing a major upgrade.
Copyright 2002-2017 ionCube Ltd. All rights reserved.