Batoi Press Docs

Security

Review the security model for Batoi Press installations, including installer locking, private directories, sessions, CSRF, uploads, and updates.

Start Reading Open Batoi Press GitHub
On this page

Security

Batoi Press is designed for small public sites, but it still needs a disciplined security model around installation, admin access, uploads, and updates.

Batoi Press security layers A layered security diagram for public routes, admin sessions, private files, uploads, and updates. Public routes and static assets Admin login, sessions, CSRF, rate limits Private config, content, data, logs, backups Checksummed updates and rollback backups

Installation Lock

After first-run setup, Batoi Press creates:

radpress/config/installed.lock

Keep this file in place. Remove it only when intentionally rerunning setup on a controlled installation.

Private Directories

Protect:

  • radpress/config/
  • radpress/content/
  • radpress/data/
  • radpress/core/
  • radpress/admin/

When possible, keep radpress/ outside the public web root. If not possible, retain the included .htaccess protections.

Sensitive directories in the current build include .htaccess deny rules. Configuration files use JSON, not executable PHP.

Admin Surface

  • Use strong owner passwords.
  • Keep sessions private and short-lived.
  • Use CSRF protection on admin writes.
  • Keep rate limits enabled for login.
  • Expect admin routes to redirect unauthenticated requests to login.
  • Admin write actions record audit log entries for governance review.

Uploads

Uploads should be allowlisted by type, assigned generated filenames, and stored where direct execution is not possible.

The default allowed upload extensions are:

jpg, jpeg, png, gif, webp, pdf, txt, md

The default maximum upload size is 5 MB.

Updates

Only apply packages that match the published SHA-256 checksum. Update packages are staged before live replacement, applied from a release manifest, checked after installation, and automatically rolled back when guarded apply or health checks fail.

Current Hardening Notes

HTML content is sanitized before rendering. Role enforcement per action is still a future hardening item in the current Batoi Press roadmap.