Brimbox Logo Brimbox Version 2.3.4 Released


Security in Brimbox is simple. It is based on two principles.

First, modules or files that are included (or required) should be protected from direct access by a constant. The constant BASE_CHECK is used to deny direct access to files that are included and is set by the controller:

if (!defined('BASE_CHECK')) exit();

The second is checking that a $_SESSION variable is set and has the proper user permission:

If the $main object is available:

$main->check_permission(array("4_bb_brimbox", "5_bb_brimbox"));

However in custom post files you may have to check manually:

if (isset($_SESSION['username']) && in_array($_SESSION['userrole'], array("4_bb_brimbox", "5_bb_brimbox"))):


The index.php and post.php controller files will just check that a $_SESSION is set.

If you wish to further lock down Brimbox you can use .htaccess files in the directories:

Order deny,allow
Deny from all
allow from
<Files "javascript.js">
Allow from all

Finally, Brimbox files are stored in public directories.

Having a file included by index.php below the public web directory in location "../../include.php" is no more secure than including a file by index.php in the public web directory "include.php" that is protected by a constant.

If a hacker can set a constant he can set an include (or require).

Brimbox approaches security head on and assumes that hiding things is confusing not secure.

Updated: 2017-09-10