Security concerns

Castopod is built on top of CodeIgniter4, a PHP framework that encourages good security practices.

To maximize your instance’s safety and prevent any malicious attack, we recommend you update all your Castopod files permissions after installation or updates (to avoid any prior permission error):

• writable/ folder must be readable and writable.
• public/media/ folder must be readable and writable.
• any other file must be set to readonly.

For instance, if you are using Apache or NGINX with Ubuntu you may do the following:

sudo chown -R root:root /path/to/castopod
sudo chown -R www-data:www-data /path/to/castopod/writable
sudo chown -R www-data:www-data /path/to/castopod/public/media

Third-party Plugins

Disclaimer

Installing untrusted third-party plugins on Castopod carries inherent security risks, such as unauthorized access to sensitive user data, data breaches, data tampering, and injecting malicious code.

Since v2’s Plugins Architecture, Castopod can be extended with all sorts of cool features. Anyone can choose to create their own plugins and even share them with the community.

👉 Plugins are a way to inject code in parts of Castopod through Hooks.

Now, if you create your own plugin and install it in your own Castopod, that means you control both the code that gets injected and the environment: all is good!

But as for third-party plugins, you must treat them as a potential security risk by default:

1. Make sure you trust the source before installing any third-party plugin
2. Review the plugin’s code yourself if you can or ask developers from the community for help