# Security

Source: https://kart.bnomei.com/docs/data/security
Updated: 2025-08-08T14:07:01+00:00
Summary: Secure your Kirby CMS: disable endpoints under attack, enforce HTTPS, protect .env, set CSP headers, configure server rules, disable debug mode.

## Under attack?

Use the following configuration to disable all Kirby Kart plugin API endpoints. This will ensure that your website remains online. However, the Kirby Kart plugin will not perform functions like logging in, generating magic links, adding products to the cart, or initiating or completing checkouts.

Path: site/config/config.php  
Code (php):  
```
<?php

return [
    'under-attack' => true,
    // other options
];
```

  
## Payments

Since the heavy lifting of handling the payments is 100% under the Provider's control and happening on their webservers, there are no real concerns to be found here.

## HTTPS / SSL

Having said that, your production server should be secured with an SSL certificate, and all traffic and assets should be served over HTTPS.

## Server Config

While Kirby provides you with a basic `.htaccess` file, I would recommend adding a few more rules to improve the security and performance of both [Apache](https://github.com/h5bp/server-configs-apache) and [Nginx](https://github.com/h5bp/server-configs-nginx).

## Secrets via .env File

Make sure your server is configured to not serve dotfiles like the `.env` file where the API credentials of your prodvider will be stored. Never place sensitive files like .env in your web root – consider using a [custom folder setup](https://getkirby.com/docs/guide/configuration/custom-folder-setup) and push the `index.php` into `public/index.php`.

## Content Security Policy Headers (CSP)

I highly recommend setting up a tight CSP for them, whether you intend to include scripts, images or iframes from external sources. Only allow what you need and block everything else. My [security headers plugin](https://github.com/bnomei/kirby3-security-headers) comes with sensible defaults and some tips on how to get started defining rules.

## Last but not least, debug = false

The official Kirby CMS docs have a worthwhile guide on how to make your Kirby installation even [more secure](https://getkirby.com/docs/guide/security). Be sure to check it out.

One topic is deactivating the debug mode. I achieve this by explicitly turning it off globally and only turning it on for local development.

Path: site/config/config.php  
Code (php):  
```
<?php

return [
    'debug' => false,
    'session' => ['cookieName' => 'session'],
    'yaml.handler' => 'symfony', // future-proof
    // other options
];
```

  
Path: site/config/config.example.test.php  
Code (php):  
```
<?php

return [
    'cache' => ['pages' => ['active' => false]],
    'content' => ['locking' => false],
    'debug' => true,
    'editor' => 'vscode',
    // other options
];
```

  
Path: site/config/config.www.example.com.php  
Code (php):  
```
<?php

return [
    // 'cache' => ['pages' => ['active' => true]], // depends
    'debug' => false, // double-tap to be sure
    'panel' => ['install' => false], // double-tap to be sure
    'url' => 'https://www.example.com', // enforce https and www
    // other options
];
```