We follow security best practises when developing the CCS website, a summary of how we have tackled security appears below.

Since we have used a Headless CMS architecture there is dramatically less functionality exposed in the CCS website than for a traditional WordPress-powered website. Only functionality required for the CCS website project has been developed, which allows the development team to more easily tailor security requirements for each specific feature rather than rely on out-of-the box functionality from plugins which are harder to validate security for.

Incoming variables are filtered via PHP's standard filter_var functionality.

The majority of content passed to the template layer is automatically escaped by the Twig templating system. Twig applies automatic HTML escaping and can be configured to escape content for different contexts (e.g. URLs, CSS, JavaScript).

Rich text content from WordPress which contains HTML cannot be escaped and is displayed raw (e.g. page content).

Queries run against the database use prepared statements to ensure variables are properly escaped to avoid dangerous characters being passed to the database. We use standard PDO prepared statements for this.

Any sensitive credentials are stored in environment variables which are stored in private, encrypted-at-rest AWS S3 buckets and copied to the webservers on deployment.

No emails are sent from the frontend web application.