Product SiteDocumentation Site

5.6. Security and Cryptography

Content Security Policy
Amongst other things, MantisBT relies on Content Security Policy (CSP), which is a W3C candidate recommendation improving the system's security against cross-site scripting (XSS) and other, similar types of attacks. It is currently supported in recent versions of many browsers.

Note

CSP may cause issues in certain situations (e.g. during development), or when using plugins relying on externally hosted resources such as images or scripts.
MantisBT currently does not provide any mechanism for plugins to notify the Core of 'safe' external domains. Because of that, even though it is not recommended for obvious security reasons, you may wish to disable CSP. You can do so by specifying a Custom Header in your config_inc.php file (see Section 5.4, “Webserver”).

Warning

Disabling Content Security Policy is a security risk !
$g_crypto_master_salt
Master salt value used for cryptographic hashing throughout MantisBT. This value must be kept secret at all costs. You must generate a unique and random salt value for each installation of MantisBT you control. The minimum length of this string must be at least 16 characters.
The value you select for this salt should be a long string generated using a secure random number generator. An example for Linux systems is:
cat /dev/urandom | head -c 64 | base64
Note that the number of bits of entropy per byte of output from /dev/urandom is not 8. If you're particularly paranoid and don't mind waiting a long time, you could use /dev/random to get much closer to 8 bits of entropy per byte. Moving the mouse (if possible) while generating entropy via /dev/random will greatly improve the speed at which /dev/random produces entropy.
This setting is blank by default. MantisBT will not operate in this state. Hence you are forced to change the value of this configuration option.

Warning

This configuration option has a profound impact on the security of your MantisBT installation. Failure to set this configuration option correctly could lead to your MantisBT installation being compromised. Ensure that this value remains secret. Treat it with the same security that you'd treat the password to your MantisDB database.