Last indexed: 15 May 2026 (ea8ab8)

Security Best Practices

Purpose and Scope

This document details the security workflows, automated scanning infrastructure, and vulnerability management practices within the Maho e-commerce platform. As a modernized fork of Magento, Maho integrates contemporary security standards directly into its CI/CD pipeline and core architecture, focusing on PHP 8.3+ compatibility and robust static analysis.

This page covers:

Vulnerability reporting procedures.
Automated security scanning (PHP, JavaScript, XML).
Copyright and licensing compliance checks.
Translation integrity and quality gates.
Testing security logic across multiple database engines.

Reporting Security Vulnerabilities

Maho follows a coordinated disclosure policy to protect store owners. Vulnerabilities must never be reported through public GitHub issues.

Vulnerability Reporting Workflow

Required Information for Reports:

Type: SQLi, XSS, CSRF, RCE, etc.
Location: Specific file paths and line numbers.
Proof of Concept (PoC): Steps to reproduce the exploit.
Impact: Assessment of what an attacker can achieve.

Sources: SECURITY.md1-13

Automated Security & Quality Scanning

Maho utilizes GitHub Actions to enforce security gates on every Pull Request and on a scheduled basis.

PHP Security Scanning

The platform checks for known vulnerabilities in the dependency tree (Composer) using the Symfony Security Checker.

Workflow: .github/workflows/security-php.yml
Frequency: Weekly (Mondays) and on composer.lock changes.
Tool: symfonycorp/security-checker-action.

Static Analysis (PHPStan)

PHPStan is configured to catch type-related bugs and potential logic flaws. Maho maintains a comprehensive configuration to manage technical debt while enforcing strict rules on new code.

Workflow: .github/workflows/phpstan.yml1-62
Matrix: Tests against PHP 8.3, 8.4, and 8.5 .
Execution: Runs XDEBUG_MODE=off php vendor/bin/phpstan.phar analyze -vvv .
Caching: Utilizes GitHub Actions cache for var directory to speed up subsequent runs .

Syntax and Integrity Checks

To prevent configuration injection or malformed payloads, all XML and PHP files are linted.

Check Type	Workflow File	Implementation
PHP Syntax	.github/workflows/syntax-php.yml1-65	Executes `php -l` on changed `.php` and `.phtml` files .
XML Syntax	.github/workflows/syntax-xml.yml1-60	Uses `xmllint` from `libxml2-utils` to validate structure .
Composer	.github/workflows/composer.yml1-33	Runs `composer validate --strict --no-check-all` .
Rector	.github/workflows/rector.yml1-41	Performs automated refactoring for PHP 8.3+ via `.rector.php` .
PHP-CS-Fixer	.github/workflows/php-cs-fixer.yml1-41	Validates coding standards via `php-cs-fixer fix --diff --dry-run` .
Line Endings	.github/workflows/line-endings.yml1-25	Enforces LF line endings across the repository .

Sources: , , , ,

Copyright and License Compliance

Maho enforces a strict copyright notice requirement to ensure legal integrity and provenance of the code.

Copyright Check Workflow

File: .github/workflows/copyright.yml1-100
Scope: All .js, .php, and .phtml files .
Exemptions: Specific configuration files like .phpcs.xml, .php-cs-fixer.php, and .rector.php are ignored .

Validation Logic

The workflow dynamically generates a regex pattern based on the current year to validate the copyright string. It supports single years or ranges starting from 2024.

Expected Pattern: Copyright (c) (([VALID_START_YEARS])-(CURRENT_YEAR|NEXT_YEAR)|(CURRENT_YEAR|NEXT_YEAR)) Maho (https://mahocommerce\.com) .

Sources:

Testing Security Logic

The Pest test suite is used to verify security-sensitive operations across different database engines to ensure consistent behavior across platforms.

Database Test Matrix

Security logic and platform stability are validated against:

MySQL 8.4 & Latest: Using mysqladmin ping for health checks .
MariaDB 10.11 & Latest: Using healthcheck.sh .
PostgreSQL 14 & Latest: Using pg_isready .
SQLite: Testing the sqlite engine integration .

Installation Security

During automated testing, Maho is installed using the CLI tool with secure defaults:

Command: ./maho install .
Admin Setup: Requires complex passwords and valid emails .
Sample Data: Tested with sample data enabled to verify EAV and indexer integrity .

Sources:

Translation Integrity

Security also involves ensuring that administrative and frontend interfaces are not compromised by missing or unused translation strings which could lead to UI confusion or social engineering.

Automated Translation Audits

Maho includes specific CLI commands and workflows to audit translation files.

Workflow	Command Used	Purpose
Missing Translations	`./maho dev:translations:missing`	Detects text strings in changed files that lack a translation entry .
Unused Translations	`./maho dev:translations:unused`	Identifies stale translation entries that are no longer referenced in the codebase .
CSV Sorting	(Bash script)	Ensures `app/locale/en_US/*.csv` files are sorted to maintain consistency .

Sources: , ,

Code Quality Standards

Maho uses php-cs-fixer to enforce the @PER-CS2.0 rule set, ensuring code readability and reducing the surface area for bugs.

Code Style to Code Entity Mapping

The following diagram illustrates how the .php-cs-fixer.php configuration interacts with the codebase to enforce security-relevant coding patterns.

Key Security-Related Coding Rules

Logical Operators: Use && and || instead of and/or to avoid precedence-related security bugs .
Type Casting: Modernize type casting (e.g., (int) instead of intval) for better performance and clarity .
Risky Rules: The configuration allows risky rules to proactively fix potential issues .

Sources:

Refresh this wiki

URL: https://deepwiki.com/MahoCommerce/maho/11.5-security-best-practices