Security with Bovine

Security features for Bovine Pages Server

Security Notes

HTTPS Everywhere

All sites are served over HTTPS automatically. HTTP requests redirect to HTTPS (except for Let’s Encrypt verification requests).

Password Hashing

Always use SHA256 hashes, never plain passwords. The hash in .pages is public (it’s in your repository), but it’s computationally infeasible to reverse it to get your password.

Authentication cookies use:

  • HMAC signing (tamper-proof)
  • HttpOnly flag (XSS protection)
  • Secure flag (HTTPS only)
  • SameSite=Strict (CSRF protection)

Custom Domain Verification

If your admin enables DNS verification, you prove domain ownership via DNS TXT records. This prevents domain hijacking.