Enterprise Readiness in Zango
Zango is designed to enable enterprise readiness by default. If you intend to build robust and secure business applications, Zango offers a suite of features out-of-the-box to meet stringent enterprise requirements. Below are Zango's enterprise-ready capabilities and the mechanisms that ensure your applications are secure, compliant, and production-ready.
Application Security
Zango prioritizes security as a first-class feature, providing robust mechanisms to safeguard your applications against common vulnerabilities and threats. The core security features offered by default:
Access Log
Tracks and logs all user access to the application, giving visibility into who accessed what and when, and facilitating monitoring and compliance auditing through the App Panel.
Audit Logs
Comprehensive logging of all application as well as framework objects, ensuring accountability and traceability for every action, with easy access through the App Panel.
Access Control
Every view you create in Zango is blocked by default, enforcing zero trust. Access is explicitly granted through policies, reducing the risk of unauthorized access.
Debug Mode Verification
Ensures DEBUG = False in production environments to prevent sensitive information leakage.
IP Restriction
Restricts access to the App Panel based on configured IP whitelists, and displays the list of allowed IPs for transparency.
Account Lockout
Locks accounts after a configurable number of failed login attempts, and displays the lockout duration to inform administrators.
Allowed Password Attempts
Sets a limit on failed login attempts to mitigate brute-force attacks.
Password Policies
Enforces maximum password age, prompting periodic updates, and mandates password strength with defined length and character requirements.
HTTPS Enforcement
Ensures HTTPS-only is enforced for all requests, securing data in transit.
No Default Credentials
Validates that no default IDs or passwords are active in production environments.
Concurrent Sessions Disabled
Prevents multiple concurrent sessions per user to mitigate session hijacking risks.
Web Application Security
XSS Protection
Configures HTTP response headers (e.g. X-XSS-Protection) to mitigate cross-site scripting attacks.
Content Security Policy
Enforces CSP to prevent data injection attacks such as XSS by specifying trusted sources for scripts and other resources.
SQL Injection Protection
Uses prepared statements and ORM protections to guard against SQL injection vulnerabilities.
Clickjacking Protection
Implements X-Frame-Options headers to prevent clickjacking attacks.
Secure Cookies
Sets Secure and HttpOnly flags so cookies are inaccessible to JavaScript and transmitted only over HTTPS.
API Security
API Rate Limiting
Enforces rate-limiting on API endpoints to mitigate brute-force attacks and prevent denial-of-service (DoS) incidents.
Data Encryption in Transit
Encrypts data in transit using TLS, ensuring secure communication between clients and servers.
Security Headers Compliance
Includes essential HTTP headers such as Strict-Transport-Security, X-Content-Type-Options, and Referrer-Policy.
External Resource Control
Validates that only trusted and necessary external resources are allowed, minimizing exposure to supply chain attacks.
Audit and Monitoring
Comprehensive Audit Logging
Captures critical user and system actions for compliance and forensic analysis.
Access Visibility
Provides detailed insights into system access and activities.
Automated Alerts
Future support for integrating alerts for suspicious activities.
By adopting Zango, you empower your business with a framework that is built for secure, enterprise-grade applications.