🔒 Security
Learn about EasySign's security features and best practices.
Data Encryption
Encryption at Rest
All uploaded documents are encrypted using AES-256-CBC before being stored on disk.
- Unique initialization vector (IV) per file
- Encryption key stored in environment variable
- Documents decrypted only when accessed by authorized users
Encryption in Transit
All data is transmitted over HTTPS/TLS 1.2+:
- HSTS header enforced
- Automatic HTTP to HTTPS redirect
- Modern cipher suites only
Authentication
Password Security
- Passwords hashed using bcrypt (password_hash)
- Configurable minimum length and complexity
- No password recovery - only reset
Two-Factor Authentication (MFA)
- TOTP-based (works with Google Authenticator, Authy, etc.)
- Can be enforced for all users
- Recovery codes provided
Session Management
- Secure session cookies (HttpOnly, Secure, SameSite)
- Configurable session timeout
- Session regeneration on login
- Single session or multi-device support
Access Control
Rate Limiting
- Configurable max login attempts
- IP-based blocking after threshold
- Automatic reset after block duration
IP/Email/Domain Blocking
Administrators can block:
- Specific IP addresses
- Specific email addresses
- Entire email domains
Role-Based Access
| Role | Access |
|---|---|
| User | Own documents only |
| Org Admin | Organization documents + member management |
| Admin | Full system access |
Application Security
SQL Injection Prevention
- All queries use PDO prepared statements
- Parameterized queries throughout
- No raw SQL interpolation
XSS Prevention
- All output escaped with htmlspecialchars()
- Content-Security-Policy header
- X-XSS-Protection header
CSRF Protection
- CSRF tokens on all forms
- Token validation on POST requests
- SameSite cookie attribute
Security Headers
All responses include:
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self' https:; ...File Upload Security
- MIME type validation (server-side, not just extension)
- File extension whitelist (PDF only for documents)
- Maximum file size limits
- Files stored outside web root (encrypted)
- Unique filenames to prevent guessing
Audit Trail
All security-relevant actions are logged:
- Login attempts (success and failure)
- Password changes
- Document access and modifications
- Admin actions
- API access
Logs include timestamp, user ID, IP address, and action details.
Legal Compliance
E-Signature Validity
EasySign signatures are legally binding under:
- ESIGN Act (USA)
- eIDAS (European Union)
- UETA (US State laws)
Audit Certificates
Each completed document includes a certificate with:
- Document hash (SHA-256)
- All signer details
- Timestamps for each action
- IP addresses
- Unique certificate ID
Vulnerability Management
Built-in security scanner (Admin → Security Scanner):
- Detects PHP version vulnerabilities
- Checks composer packages for CVEs
- Provides upgrade recommendations
- ISO 27001 A.12.6.1 compliant
Security Best Practices
For Administrators
- Use strong, unique passwords for admin accounts
- Enable two-factor authentication
- Regularly review audit logs
- Keep PHP and dependencies updated
- Run vulnerability scanner weekly
- Use HTTPS with a valid SSL certificate
- Backup database and encryption key separately
For Users
- Use a strong password (12+ characters)
- Enable two-factor authentication
- Don't share signing links
- Verify signer email addresses carefully
- Log out when using shared computers
Reporting Security Issues
If you discover a security vulnerability:
- Do not publicly disclose the issue
- Email security details to the administrator
- Include steps to reproduce
- Allow time for a fix before disclosure