EgoWeb has various safety features to ensure secure data storage and transmission and prevent unauthorized access. EgoWeb has been tested for OWASP 10 Most Critical Web Application Security Risks using OWASP ZAP. Security vulnerabilities have been addressed including implementation of encryption and secure login procedures. EgoWeb encryption uses Yii’s CPasswordHelper. Database and application can be set up on different servers to enhance security. Each EgoWeb server can be set up with a unique encryption key, making the database secure and difficult to decrypt without access to the application server.

EgoWeb should meet many researchers' and organizations’ standards for software security but users have to make the determination of the security acceptability. EgoWeb code is provided on an "as is" basis and the user assumes responsibility for its use. This code has not been peer-reviewed or otherwise evaluated beyond the development team, and is made available here without guarantee. EgoWeb developers are not responsible for errors and is not committed to maintenance, updates or support.

EgoWeb security features include:

1. All (potentially sensitive) survey response data is encrypted in the database. This includes encryption of all response data and personally identifying information (such as names of alters), as well as user names.

2. Brute force login attempts are prevented by forcing a captcha image verification input after a certain number of bad logins.

3. Malicious cross site scripting attacks are prevented by passing a randomly generated token with each request that's validated to ensure it comes from the Egoweb site.

4. Upload file sizes are limited to prevent crashing the site and gaining malicious access.

5. Access to (potentially sensitive) survey response data in the web UI requires appropriate role-level access.

6. API level access requires API key.
Most security feature are configured in [app/protected/config/main.php](https://github.com/qualintitative/egoweb/blob/master/app/protected/config/main.php.example):

1. The data encryption key and algorithm are configured in the "securityManager" and "params" sections.

2. "maxLoginAttempts" is configured in the "securityManager" section.

3. "enableCsrfValidation" and "noCsrfValidationRoutes" are configured in the "request" section.

4. "maxUploadFileSize" is configured in the "params" section.

5. "apiKey" is configured in the "params" section.
Furthermore, SQL injection is prevented via the data layer through ORM and prepared statements.


Return to the EgoWeb 2.0 Wikispaces Home
EgoWeb code is provided on an "as is" basis and the user assumes responsibility for its use. This code has not been peer-reviewed or otherwise evaluated beyond the development team, and is made available here without guarantee. RAND is not responsible for errors and is not committed to maintenance, updates or support.