Why Airship?
- Carefully Chosen Cryptography Features — Powered by the Sodium cryptography library (accessed through Halite, our easy-to-use libsodium wrapper).
- Secure Automatic Updates — Critical security updates will automatically be applied within an hour (in the default configuration). Never worry about something like this happening again.
- Open Source — Airship is dual licensed. You can use it under the terms of the GNU Public License as Free Software, or if you'd prefer, you may purchase a commercial license from Paragon Initiative Enterprises.
- No Legacy Cruft — Airship was born into PHP 7 and does not need to retain the bloat or bad designs necessary to maintain compatibility with early versions of PHP 5.
Launch Your Airship
PHP CMS Out-of-the-Box Security Comparison Chart | |||||
---|---|---|---|---|---|
Security Feature | CMS Airship | WordPress | Drupal | Joomla! | Notes |
Note: A detailed technical breakdown of the security of the other CMS platforms is available. | |||||
Automatic Updates | The automatic updates you receive are secure against forgery even if our update server is compromised. | ||||
Prepared Statements | For preventing SQL Injection vulnerabilities. | ||||
CSRF Protection Everywhere | Plugins notwithstanding. | ||||
Context-Aware Output Escaping | Escapes on input |
For preventing cross-site scripting vulnerabilities. | |||
Content Security Policy | CMS Airship lets you manage CSP and HPKP headers through a web interface. | ||||
HTTP Public-Key-Pinning | |||||
Password Hashing | Argon2i |
Salted MD5 |
SHA512Crypt |
bcrypt |
Read more about how to safely store users' passwords and why Argon2 is the best choice. |
Two-Factor Authentication | |||||
Secure "Remember Me" Checkboxes | We outlined how to implement secure "remember me" checkboxes in PHP last year. | ||||
Login Brute-Force Resistance | |||||
Account Recovery: Opt Out | |||||
Account Recovery: GnuPG Encryption | CMS Airship allows users to provide a public key, which will be used to encrypt the outgoing account recovery emails. | ||||
Encryption | Halite |
N/A | N/A | Defuse v1* |
* As of v3.5.0; before, JCrypt was insecure. |
Minimum PHP Version | 7.0 |
5.2.4 |
5.5.9 |
5.3.10 |
Read more about why low minimum PHP version requirements are bad for security. |
Secure Random |
|
random_compat v1 |
random_compat v1 |
random_compat v1 |
Version 1 of random_compat falls back to OpenSSL as a last resort, while version 2 is more secure and truer to what PHP 7 does. Learn more. |
Code Footprint | 62,367 |
496,998 |
1,008,868 |
858,922 |
Less code usually implies less room for bugs to slip in. This metric is useful for estimating the cost of a full audit. |
Free / Open Source |
Github |
Trac |
Git |
Github |
All four are released under GPL |
Security Feature | CMS Airship | WordPress | Drupal | Joomla! | Notes |
Frequently Asked Questions
Why does the community need yet another CMS?
Airship carries two benefits that none of the existing content management system solutions offer:
- Airship was designed, and is maintained, by a team of PHP security experts.
- Airship is not encumbered by risky backwards compatibility concerns and years of technical debt.
Though our security team often shares our insight into better security practices with the maintainers of popular Free Software projects, they are almost always held back by technical debt and obligations to maintain compatibility with legacy systems.
What makes Airship different from any other CMS?
The short answer: In terms of security, Airship is worlds apart from the CMS platforms you're already familiar with.
The Long Answer:
A lot of the security problems that the other CMS solutions encounter is
the result of unknown unknowns.
For example, "Is it safe to pass user-provided data to unserialize()
in a PHP 5 application?" is a question that many CMS developers would
never even think to ask (let alone know the answer to off the top of
their heads).
We live and breathe application security. Our set of unknown unknowns is consequently a lot smaller than most PHP programmers'.
- To prevent SQL injection, we use prepared statements where we can, and a strict whitelist where we can't.
- To prevent cross-site scripting, we escape on output, not on input. We also provide a user-friendly interface for managing your Content-Security Policy headers.
- All forms that accept POST data are protected against CSRF attacks by design.
- Users' passwords are hashed using Argon2i, and the hashes are encrypted with authenticated encryption, before storage.
- We made access controls painless. (Read the docs to learn more.)