Security Settings
In CLIENTXCMS, security settings constitute the first line of defense for your platform.
The objective is vital: configure fundamental protection mechanisms to secure authentication, filter malicious access and strengthen the robustness of your system. Proper security configuration protects your data, prevents intrusions, and maintains user trust.
These settings control authentication, password encryption, anti-spam protections, and administration access.
You can manage security settings from:
Settings > Security > Security Settings
Security starts with good basic settings. Each option you configure here significantly strengthens your platform's protection.
Why configure these settings?
Security settings are essential for:
- Protecting user accounts with robust encryption
- Filtering malicious registrations and spam
- Securing administrator access with custom URLs
- Controlling authentication according to your business needs
It's like adjusting the locks and alarms on your house 🏠 — the better it's configured, the better you sleep.
Password Encryption
Hashing Algorithms
Hashing Driver | (dropdown menu)
Choose the algorithm used to encrypt user passwords.
| Algorithm | Security | Performance | Recommendation |
|---|---|---|---|
| bcrypt | ✅ High | ⚡ Fast | Default, recommended |
| argon2 | ✅✅ Very high | 🐌 Slower | High security |
| argon2id | ✅✅✅ Maximum | 🐌🐌 Slowest | Critical security |
For users migrating from CLIENTXCMS v1, keep argon to maintain compatibility with existing passwords.
Changing the hashing algorithm will make all existing passwords invalid. Users will need to reset their password to log in again.
Administration Security
Custom Administration URL
Administration Prefix | (text)
Customize the URL for accessing your administration interface to hide the standard access path.
Configuration Examples:
| Prefix | Access URL | Security Level |
|---|---|---|
admin | /admin | ⚠️ Standard (avoid) |
backoffice | /backoffice | ✅ Better |
manage-2024 | /manage-2024 | ✅✅ Recommended |
secure-xyz789 | /secure-xyz789 | ✅✅✅ Optimal |
- Use a unique and unpredictable prefix
- Avoid obvious words like "admin", "panel", "dashboard"
- Include numbers or special characters
- Change periodically to enhance security
CAPTCHA Protection
CAPTCHA Service Configuration
CAPTCHA Driver | (dropdown menu)
Choose the protection service against bots and automated spam.
| Service | Advantages | Disadvantages |
|---|---|---|
| none | No friction | ❌ No protection |
| reCAPTCHA | Widely supported | 🔍 Google data collection |
| hCaptcha | Privacy-friendly | ⚡ Less known |
| Cloudflare Turnstile | Optimal performance | 🆕 More recent |
Key Configuration
Site Key | (public key)
The public key provided by your CAPTCHA service, visible on the client side.
Secret Key | (private key)
The secret key to validate CAPTCHA responses on the server side.
- Never share your secret key
- Renew keys if they are compromised
- Configure authorized domains in your CAPTCHA dashboard
Detailed Configuration
For advanced CAPTCHA configuration, see the developer documentation.
Connection Problem with Misconfigured CAPTCHA
If you have a connection problem due to a misconfigured CAPTCHA, you can temporarily disable the CAPTCHA by connecting to your database and changing the captcha_driver value in the settings table to none. This will disable the CAPTCHA and allow you to log in to your client area to correct the CAPTCHA configuration.
SQL command to execute:
UPDATE settings SET value = 'none' WHERE `key` = 'captcha_driver';
You can then clear the application cache by running the following command in your terminal at the root of your project:
php artisan cache:clear
You should now be able to log in to your client area and correct the CAPTCHA configuration.
Administrator passwords are always encrypted with bcrypt to ensure fast and secure access to the administration interface, regardless of the algorithm chosen for users.