Statistics, form protection and site security

Hi, I’m currently evaluating if NEOS is the right choice for our company homepage. I read several docs and tutorials and tested the demo of the editor frontend at jumpbox.ch (love the frontend :heart_eyes: ). But before I test an installation I have some questions…

  • Statistics
    Is there a recommended way to get page usage statistics (page hits, devices, browsers, countries, …) if I decided NOT to use external services like Google Analytics but prefered on premise solutions?

  • Form spam prevention
    Is there some sort of form submit security available to prevent form spamming, preferably on premise solutions - meaning no google recaptcha? E.g. blocking form submission for some seconds after page load, enforce enabled javascript to block bots without javascript, prevent repeated form submission, detecting a “human user”, … I would prefer not to use captchas at all because they are a usability nightmare.

  • Site security
    Is there some sort of integrated site access security available with frequently updated IP blacklists and automatic IP blacklisting - including blocking statistics/reports? Or would I need a seperate software firewall in front of NEOS?

Thanks for your help :slight_smile:

Hey Björn, welcome to the Community!

Statistics
There is no build-in solution in Neos for the tracking itself.
But we have integrations for

Form spam prevention
We use a Honeypot solution (https://github.com/daniellienert/honeypotformfield) in all our forms. which keeps spam away even on high-traffic sites. Other than that, I am not aware of on-prem solutions and submission-rate-limitting integrations.

Site security
No, AFAIK there is no such solution for Neos, you need an external (Application-) Firewall for that.

Cheers,
Daniel

Thanks for your reply.

The honeypotformfield is fine by me :slight_smile:

As an application firewall I think I might try Shadow Deamon or ModSecure with Apache.

I’ll definitely give NEOS a try :smiley:

Hi @Bjorn

Regarding statistics I’d also follow the route that @daniellienert proposed: That’s the scope and speciality of dedicated tools, so use one of those and no half-baked click-counter in the CMS (not present in Neos, but I’ve seen stuff like this in other CMS products). Also evaluating the Webserver logfiles is no option as it’s too raw to track “traces” of your visitors (e.g. a user that visits multiple pages one after each other).

We’ve made good experience with Matomo (earlier called Piwik). Can be self-hosted on the same or a different webserver and the minimal integration into Neos is to have a few lines of a code-snippet put into your template and delivered to the frontend pages of your website (then the browser of the visitor sends page hits directly to Matomo, similar to how Google Analytics works).

I think ModSecurity will fit in fine but I’d not rest tooo assured that the very generic set of rules covers each and every potentially strange request to Neos (which is a rather small fish compared to e.g. Wordpress in the CMS ecosystem). To me this is not a bad sign, just saying that the generic ModSecurity ruleset might lack some Neos specific rules as not enough people requestsed stuff for it.
On the other hand Neos is considered pretty safe and has a short list of security related issues when I look over the past few years - and that’s the big plus from my point of view.

If you look at the architecture of a Neos installation where the publicly reachable files are explicitely just those that are in the Web directory of a Neos installation, the attack surface is greatly reduced as it’s not as easy to accidentally have a sensitive file being reachable from the outside - unless you intentionally to something to get it published to the front yard. Or in other words: Everything of the application itself is outside of the so called DocumentRoot directory that your webserver exposes to the world.

Hope this helps.

Best wishes,
Mario