Security Concept
Pimcore follows a multi-layer security concept. The framework provides built-in protections at the core level, while project-specific security measures are the responsibility of the integration partner.
Pimcore Core Level
Coding Standards and Best Practices
Pimcore follows established PHP coding standards and industry best practices to minimize security risks. The coding standards are based on PSRs (PHP Standards Recommendations) developed by the PHP Framework Interop Group (PHP-FIG) and are enforced during continuous integration at GitHub.
Dependency Management
Pimcore is built on the Symfony framework and manages all dependencies through Composer, the standard PHP dependency management solution. This makes it straightforward to keep all dependencies up to date and secure.
As a Symfony application, Pimcore supports all Symfony security tools, including the Symfony Security Checker.
Content Security Policy
Pimcore Studio includes a Content Security Policy (CSP) handler that protects against
Cross-Site Scripting (XSS) and data injection attacks by adding a Content-Security-Policy
HTTP header with a nonce
to every Studio request. CSP is enabled by default.
Read more about Content Security Policy.
Pimcore Studio CSP Configuration
Configure the Studio CSP under pimcore_studio_ui.csp_header.
To allow external URLs for specific directives:
# config/config.yaml
pimcore_studio_ui:
csp_header:
additional_urls:
script-src:
- 'https://cdn.example.com/scripts/analytics.js'
style-src:
- 'https://fonts.googleapis.com'
connect-src:
- 'https://api.example.com'
Available directives: default-src, script-src, style-src, connect-src,
font-src, img-src, media-src, frame-src, worker-src
To disable CSP:
# config/config.yaml
pimcore_studio_ui:
csp_header:
enabled: false
To exclude specific paths from CSP enforcement:
# config/config.yaml
pimcore_studio_ui:
csp_header:
exclude_paths:
- '/pimcore-studio/custom-endpoint'
If your bundle or custom implementation extends the Studio interface, add the generated nonce to inline scripts:
<script {{ pimcore_studio_csp.getNonceHtmlAttribute()|raw }}>
For advanced CSP extension (registering external origins from bundles, dev servers, or CDNs), see the Studio UI Content Security Policy documentation.
Frontend CSP
CSP for customer-facing pages is a project-level responsibility. Configure CSP headers through your web server (Nginx, Apache) or Symfony response listeners. Pimcore does not enforce CSP on frontend document responses automatically.
Handling Security Issues
Pimcore handles security vulnerabilities with the following procedure:
-
Reporting: Report issues via the GitHub security advisory mechanism of the corresponding repository, e.g. core framework. Do not use the public issue tracker.
-
Resolution:
- Pimcore forwards the report to the core team for verification.
- If confirmed, Pimcore sends an acknowledgement to the reporter.
- Pimcore develops a patch and obtains a CVE identifier if not already available.
- Pimcore publishes the patch and/or a new release.
- Pimcore publishes a security announcement covering affected versions, possible exploits, and how to patch or upgrade.
Project-Specific Level (Integration Partner)
HTTPS / TLS
Serve all Pimcore endpoints over HTTPS, including Pimcore Studio (/pimcore-studio),
API routes, and customer-facing pages. Configure TLS termination at the web server
or load balancer level.
Coding Standards and Best Practices
Apply the same coding standards and best practices used in core development to the solution.
Dependency Management
Run security checks for all additional solution dependencies. All Symfony tools, including the Symfony Security Checker, are available for solution projects.
Project-Specific Penetration Testing
Penetration testing should uncover security issues in the solution implementation. Run tests on staging systems without additional security layers (WAF, IPS) and cover all OWASP Top 10 risks.
A third-party testing partner provides an independent assessment.
WAF and IPS on Production Systems
Web Application Firewalls (WAF) and Intrusion Protection Systems (IPS) sit in front of the application, analyze traffic, and filter malicious activity.
As a standard PHP application, Pimcore works with all industry-standard products such as ModSecurity, Cloudflare WAF, and others. The choice depends on the IT infrastructure. For Pimcore Studio, WAF rules may need to allow multipart file uploads, WebSocket connections (used by Mercure for real-time updates), and larger request bodies.
WAF and IPS serve as the final safety net in the multi-layer security concept.