We're excited to announce that the first official release of [CMS Airship](https://github.com/paragonie/airship) is now available to download and install. * [Get CMS Airship](https://github.com/paragonie/airship/releases) * [CMS Airship Documentation](https://github.com/paragonie/airship-docs) For anyone who hasn't been following along with our development work over the past few months, CMS Airship is a secure PHP CMS developed by Paragon Initiative Enterprises. CMS Airship utilizes [strong side-channel resistant cryptography](https://paragonie.com/blog/2015/09/how-to-safely-implement-cryptography-in-any-application), [solves the problem of secure code delivery](https://paragonie.com/blog/2016/05/keyggdrasil-continuum-cryptography-powering-cms-airship), and [provides a list of security benefits other PHP projects can't match](https://github.com/paragonie/airship-docs/blob/master/en-us/WHY.md#the-security-benefits-of-using-airship).

PHP CMS Out-of-the-Box Security Comparison Chart
Security Feature	CMS Airship	WordPress	Drupal	Joomla!	Notes
Note: A detailed technical breakdown of the security of the other CMS platforms is available.
Automatic Updates					The automatic updates you receive are secure against forgery even if our update server is compromised.
Prepared Statements					For preventing SQL Injection vulnerabilities.
CSRF Protection Everywhere					Plugins notwithstanding.
Context-Aware Output Escaping		Escapes on input			For preventing cross-site scripting vulnerabilities.
Content Security Policy					CMS Airship lets you manage CSP and HPKP headers through a web interface.
HTTP Public-Key-Pinning
Password Hashing	Argon2i	Salted MD5	SHA512Crypt	bcrypt	Read more about how to safely store users' passwords and why Argon2 is the best choice.
Two-Factor Authentication
Secure "Remember Me" Checkboxes					We outlined how to implement secure "remember me" checkboxes in PHP last year.
Login Brute-Force Resistance
Account Recovery: Opt Out
Account Recovery: GnuPG Encryption					CMS Airship allows users to provide a public key, which will be used to encrypt the outgoing account recovery emails.
Encryption	Halite	N/A	N/A	Defuse v1*	* As of v3.5.0; before, JCrypt was insecure.
Minimum PHP Version	7.0	5.2.4	5.5.9	5.3.10	Read more about why low minimum PHP version requirements are bad for security.
Code Footprint	56,078	490,115	978,569	851,019	Less code usually implies less room for bugs to slip in. This metric is useful for estimating the cost of a full audit.
Free / Open Source	Github	Trac	Git	Github	All four are released under GPL
Security Feature	CMS Airship	WordPress	Drupal	Joomla!	Notes

CMS Airship is free software available under the GNU Public License. [We also sell commercial licenses](https://paragonie.com/contact) for companies that desire to use CMS Airship to develop non-GPL software. ## What Airship Gives You, Out of the Box Like most other platforms, CMS Airship is fully customizable with its own plugin system. If you don't like the way it looks, or how a certain feature is implemented, you can create and share a third-party extension that alters its appearance or behavior. With that in mind, what follows is a list of benefits and features CMS Airship gives you without any third-party extensions.

A Robust, Self-Healing System

Should a security vulnerability ever be found in CMS Airship, the patch will be installed on your system within an hour of its release by our team. With Airship, you'll never have to feel the dread of [these words that followed a Drupal SQL injection vulnerability](https://blog.sucuri.net/2014/10/drupal-sql-injection-attempts-in-the-wild.html): > You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement. In addition to having rapid self-updating as a first-class feature, we've built the first PHP content management system that solves the [triangle of secure code delivery](https://defuse.ca/triangle-of-secure-code-delivery.htm). This triple-decker of extra security applies not only to core updates: community-developed extensions are signed by their developers' signing keys, synchronized through the entire network, and verified independently of our infrastructure. ***Even if our network is compromised, software authenticity is guaranteed!*** Can any other CMS/blogging platform offer the same security guarantees, even outside of PHP?

The OWASP Top 10 is Mitigated

It should come as no surprise that we've [pored over every line of code multiple times](https://github.com/paragonie/airship/pull/40) to ensure our code is free of any possible vulnerabilities, especially the OWASP Top 10 most common web application vulnerabilities. We maintain a list of [entire bug classes you'll almost certainly never have to worry about with CMS Airship](https://github.com/paragonie/airship-docs/blob/master/en-us/WHY.md#vulnerabilities-we-prevent) in the official online documentation. The only entry on the OWASP Top 10 list that you *may* still have to watch out for is *security misconfiguration*, but only if you change any of the settings. **CMS Airship is secure by default.** Sentinel is a combination of best-in-class security features that provide you and your users the best protection possible for free. Sentinel is a culmination of three years of cutting edge PHP security and applied cryptography research, along with a plethora of security advisories for other free and open source software projects. * When you create an account on any Airship, your [password is safely stored](https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016) using Argon2i (provided by libsodium), and the hash is then encrypted with [authenticated encryption](https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly). * **CMS Airship rejects weak passwords** (defined as: any password that scores a Zxcvbn score less than 3). This means the most common passwords people use (and hackers are likely to guess) will not be accepted; nor will the obvious modifications of said common passwords. * When you check "Remember Me", a [side-channel-resistant persistent authentication token](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2.1) is placed in a cookie on your computer, in accordance with the best practices we helped establish last year. * **Two-factor authentication is included out of the box.** Just scan a QR code into your 2FA app on your smartphone (e.g. Google Authenticator) and check a box. * **Progressive rate-limiting.** Every subsequent bad username/password guess forces anyone attempting to login with that username or from the same IP subnet wait an increasing amount of time, up to a configurable maximum delay (default: 30 seconds). This delay can be enforced in a two modes: Fast-fail ("You are doing this too fast. Please try later" and prompt exit) or a sleep. * **Account recovery**: * If you provide an OpenPGP public key (e.g. via GnuPG), your password recovery email will be encrypted with your public key. This benefit comes with zero additional configuration for GNU/Linux servers. * You can opt out of password reset emails entirely. This might be desirable if you use strong passwords and two-factor authentication but do not trust in the security of your email provider (or of SMTP itself, which provides [opportunistic encryption](https://adamcaudill.com/2014/02/25/on-opportunistic-encryption)). * Regardless of encryption, password reset emails send a link with a token (which follows a similar construction to "remember me" cookies to prevent timing leaks). * (Optional, enabled by default): When you use the account recovery feature (assuming it was enabled), all other sessions and long-term authentication cookies are immediately invalidated. * **Flexible, powerful, and overall *simple* access controls**: * You have `contexts` (which can overlap), based on the user's URI . Each context is a white list. * You have `actions` (e.g. "read", "create", "update", "publish") on a per-site basis. (CMS Airship supports a multi-site architecture out of the box.) * You have rules, which grant either a user or a group of users the ability to perform an *`action`* in a given *`context`*. * Groups can inherit permissions from other groups. * Users can belong in multiple groups. * If *any* of the groups you belong to are permitted to perform said `action` in a given `context`, then you are permitted. * When contexts overlap, you have to have permission for all relevant contexts. * If no permissions are defined, unless you are an administrator, the access controls will fail closed (deny). * All of this can be managed by checking or unchecking boxes in a table (for each context).

Security Headers Made Easy

Want to add a `Content-Security-Policy` header to your Airship *just in case* an XSS vulnerability is ever discovered? Want to add an `HTTP Public-Key-Pinning` header so your Airship is still secure even if a Certificate Authority is compromised (or goes rogue at behest of a nation state attacker)? Don't reach for `ssh` and (insert text editor of choice here), just login as an administrator user and use the web interface. Airship uses both [CSP-Builder](https://github.com/paragonie/csp-builder) and [HPKP-Builder](https://github.com/paragonie/hpkp-builder) to build the relevant security headers based on the configuration you provide. Like many of our projects, these open source libraries were developed as standalone utilities to improve the security of PHP projects throughout the community.

CMS Airship is a New Chapter in PHP Security

Despite its [overwhelming popularity](https://w3techs.com/technologies/details/pl-php/all/all), the PHP programming language has historically had a bad reputation in the information security industry. At Paragon Initiative Enterprises, we want to improve the security and usability of the tools and frameworks people already use. With CMS Airship, we hope to establish the platinum standard for PHP security. The gold standard for PHP security just does everything that is required. The platinum standard does everything that it can. The gold standard for PHP security in 2016 involves: * Using HTTPS everywhere * Using the password hashing API * Using a CSPRNG any time you need randomness for security * Strict use of prepared statements to prevent SQL injection * Adherence to context-sensitive output escaping (instead of escaping on input) to prevent cross-site scripting * Using a token or nonce to stop cross-site request forgery attacks * Not passing untrusted user data to deserialization functions Paragon Initiative Enterprises takes securing PHP applications to the next level. In computer security, *Attacks only get better, they never get worse*. **Today's platinum standard should be tomorrow's gold standard.** Working together, we hope to greatly improve the state of security in PHP applications for everyone's benefit. Until tomorrow comes, the bar for secure PHP applications has been set. Our work has just begun. Let's make PHP security ubiquitous, on-by-default, and as simple as possible.