Digital & Web Security Policy

This document outlines how The Engine is Red handle security in relation to digital and web development.

We recommend VPS hosting to clients (currently UpCloud) to ensure that client websites are not on a shared server with any other companies.
We recommend clients move their DNS to Cloudflare, to mitigate against DDOS attacks
Security patches and packages are installed weekly, automatically on client servers
All servers that we manage are provisioned with Ploi
We use Ploi to install and automatically renew Let’s Encrypt SSL certificates
Domains managed by us:
- Enforce HTTPS via Cloudflare
- Enable HSTS via Cloudflare with a max-age of 6 months
- Automatic HTTPS Rewrites
- We use the latest LTS installation of Ubuntu for new client web servers
- Clients are advised to move to a new server every 5 years when their LTS version of Ubuntu stops receiving updates

For clients that have active maintenance contracts, we update Craft and it’s plugins either monthly or quarterly
We recommend a maintenance contract to all clients to keep their websites updated both in terms of security and front end performance
All sites we actively maintain are backed up regularly to AWS via Ploi or SnapShooter

We use Two Factor Authentication wherever possible
We use 1Password's built in tools to measure password strength and whether any passwords have been compromised
We never share client passwords externally
Passwords are stored in 1Password
For our own passwords, we use strong, randomly generated passwords via 1Password that are never re-used. We recommend clients do this too
Passwords are not sent in plain text by email
Our password vault is separated into containers. Only the people who need certain passwords are able to access them
Users who leave the company have their access to passwords revoked
Online documents and tools are only shared with the people who need access, never publicly

Developers are required to sign an NDA before being given access to any client data
Access to servers is restricted to SSH keys, no passwords
Developers are only given access to the site they are actively working on
Once a developer is no longer working on a site, their access to the server and repository is revoked and their CMS account is disabled

We use code monitoring tools that point out vulnerabilities in active sites we’re working on
We recommend Craft CMS for almost all client projects. In terms of security, here’s what you need to know about how Craft is secured at the code level: https://craftcms.com/knowledge-base/security-faq

Publicly available Shopify Apps must either be from the safe list below or be reviewed individually. Ideally, apps installed:

Have good documentation
Have a rating above 4 stars
Have at least 100 reviews, or have been developed specifically for one of our clients
Be verified as having little impact on site performance

Craft plugins must either fulfil the criteria below, or be reviewed individually by the lead developer. Ideally, plugins installed:

We follow all advisories in the Securing Craft article from Pixel & Tonic:

The source folder is kept above the webroot
allowAdminChanges are set to false in both staging and production
We explicitly set the @web alias for the site
We enable all “Purify HTML?” Redactor field settings
We use Freeform for all forms, which automatically enables CSRF protection
We use the latest major version of PHP on new sites, and upgrade existing sites when they move to new servers
File permissions are reviewed and set according to Craft’s installation guide
General Configuration settings are reviewed on a per-site basis during development
We set applicable security headers during development
We change the cpTrigger from the default /admin
We remove the X-Powered-By: Craft CMS header
Inactive CMS user accounts are disabled or deleted

The companies below have a proven track record in high quality software and have been active in the Craft community for years. We trust their work.