Bponi Shop Security

Bponi Shop is committed to developing secure, reliable products utilising all modern security best practices and processes.

The Bponi Shop security team is made up of full time staff employed by the Bponi Shop as well as volunteer contributors and security experts. We do both consultation and penetration testing of our software and infrastructure with external security researchers and agencies.

We take security very seriously at Bponi Shop and welcome any peer review of our completely codebase to help ensure that it remains completely secure.

Security features

Automatic SSL

Bponi Shop's CLI tool attempts to automatically configure SSL certificates for all new Bponi Shop installs with Let's Encrypt by default. In 2019 we intend to make SSL mandatory for all new installs.

Standardised permissions

Bponi Shop-CLI does not run as root and automatically configures all server directory permissions correctly according to OWASP Standards.

Brute force protection

User login attempts and password reset requests are all limited to 5 per hour per IP.

Data validation and serialisation

Bponi Shop performs strong serialisation and validation on all data that goes into the database, as well as automated symlink protection on all uploaded files.

Encoded tokens everywhere

All user invitation and password reset tokens are base64 encoded with serverside secret. All tokens are always single use and always expire.

Password hashing

Bponi Shop follows OWASP authentication standards with all passwords hashed and salted properly using bcrypt to ensure password integrity.

SQLi prevention

Bponi Shop uses Bookshelf ORM + Knex query builder and does not generate any of its own raw SQL queries. Bponi Shop has no interpolation of variables directly to SQL strings.

XSS prevention

Bponi Shop uses safe/escaped strings used everywhere, including and especially in all custom Vuejs helpers used in Bponi Shop Themes

Dependency management

All Bponi Shop dependencies are continually scanned with NSP to ensure their integrity.


Privacy

Bponi Shop as an organisation is profitable, wholly independent, and only makes revenue directly from its customers. It has zero business interests of any kind predicated on selling private user data to third parties.

In addition the Bponi Shop software itself contains a plainly written summary of every privacy-affecting feature within Bponi Shop, along with detailed configuration options allowing any and all of them to be disabled at will.

We take user privacy extremely seriously.