Security Measures

Public Area

Measure	Description
CSRF Protection	The contact form and membership application are protected by a CSRF token. Requests without a valid token are rejected.
Rate Limiting	A maximum of 5 contact requests per IP address within 15 minutes. Additional requests are silently discarded.
Honeypot Field	An invisible form field intercepts automated spam bots.
Input Validation	All form entries are checked for length, format (e.g., email), and required fields.
XSS Protection	All user input is encoded in HTML before being displayed.
SQL Injection Protection	All database accesses are performed via parameterized queries (prepared statements).
Upload Validation	Uploaded files are validated via MIME type checking and a file extension whitelist.

Measure	Description
Authentication	Access only with a valid username and password. All pages check the login status.
Brute-Force Protection	After 3 failed login attempts within 10 minutes, the account is locked for 60 minutes.
Secure Password Storage	Passwords are hashed using bcrypt. Outdated hashes are automatically updated upon successful login.
Session Security	After a successful login, the session ID is regenerated (session fixation protection).
CSRF Protection	All admin forms and AJAX requests are protected by CSRF tokens.
Permission System	Granular permissions per module. Each admin sees and uses only the functions for which they have been granted access.
Action Log	Changes made by admins are logged in an audit log and can be viewed in the dashboard.
Upload Validation	Image and PDF uploads are checked on the server side based on MIME type and file size.