Enterprise Readiness in Zango
Zango is designed to enable enterprise readiness by default. If you intend to build robust and secure business applications, Zango offers a suite of features out-of-the-box to meet stringent enterprise requirements. We highlight Zango’s enterprise-ready capabilities and the mechanisms that ensure your applications are secure, compliant, and production-ready.
Application Security
Zango prioritizes security as a first-class feature, providing robust mechanisms to safeguard your applications against common vulnerabilities and threats. Below are the core security features offered by default:
1. Access Log
- Tracks and logs all user access to the application, providing visibility into who accessed what and when.
- Facilitates monitoring and compliance auditing through the App Panel
2. Audit Logs
- Comprehensive logging of all application as well as framework objects
- Helps ensure accountability and traceability for every action.
- Easy access of the audit logs through the App Panel.
3. Access Control
- All views that you create in Zango are blocked by default, enforcing the principle of zero trust in your application.
- Access is explicitly granted through policies, reducing the risk of unauthorized access.
4. Debug Mode Verification
- Ensures
DEBUG = Falsein production environments to prevent sensitive information leakage.
5. IP Restriction
- Restricts access to App Panel based on configured IP whitelists.
- Displays a list of allowed IPs for transparency.
6. Account Lockout
- Implements account lockout mechanisms after a configurable number of failed login attempts.
- Displays the lockout duration to inform administrators.
7. Allowed Password Attempts
- Sets a limit on failed login attempts to mitigate brute-force attacks.
8. Password Policies
- Password Age: Enforces maximum password age, prompting users to update passwords periodically.
- Password Strength: Mandates complex passwords with defined length and character requirements.
9. HTTPS Enforcement
- Ensures that HTTPS-only is enforced for all requests, securing data in transit.
10. No Default Credentials
- Validates that no default IDs or passwords are active in production environments.
11. Concurrent Sessions Disabled
- Prevents multiple concurrent sessions per user to mitigate session hijacking risks.
Web Application Security
1. XSS Protection
- Configures HTTP response headers (e.g.,
X-XSS-Protection) to mitigate cross-site scripting attacks.
2. Content Security Policy (CSP)
- Enforces CSP to prevent data injection attacks such as XSS by specifying trusted sources for scripts and other resources.
3. SQL Injection Protection
- Uses prepared statements and ORM protections to guard against SQL injection vulnerabilities.
4. Clickjacking Protection
- Implements
X-Frame-Optionsheaders to prevent clickjacking attacks.
5. Secure Cookies
- Sets secure and
HttpOnlyflags for cookies to prevent JavaScript access and ensure they are transmitted only over HTTPS.
API Security
1. API Rate Limiting
- Enforces rate-limiting on API endpoints to mitigate brute-force attacks and prevent denial-of-service (DoS) incidents.
2. Data Encryption in Transit
- Encrypts data in transit using TLS, ensuring secure communication between clients and servers.
3. Security Headers Compliance
- Includes essential HTTP headers such as:
Strict-Transport-SecurityX-Content-Type-OptionsReferrer-Policy
4. External Resource Control
- Validates that only trusted and necessary external resources are allowed, minimizing exposure to supply chain attacks.
Audit and Monitoring
- Comprehensive Audit Logging: Captures critical user and system actions for compliance and forensic analysis.
- Access Visibility: Provides detailed insights into system access and activities.
- Automated Alerts: Future support for integrating alerts for suspicious activities.
By adopting Zango, you empower your business with a framework that is built for secure, enterprise-grade applications.