Data Security

The data sent between the instances is safely encrypted with a secure key and cannot be read by anyone, unless they know the encryption key. The key is generated during the configuring of the add-on on the remote instance. The key is kind of a password for computers, the same way you use a password to authenticate your user with concrete5, the machines use the encryption key to share data that is only meant for their “eyes”.

The encryption key can be compromised only when you generate it on the remote instance if you don’t use secure HTTPS connection. It is highly recommended to have the remote machine behind a secured HTTPS-connection. If you do not use HTTPS, and log into the admin panel, any data (not only data exchanged with Mainio Sync) from there can be compromised through a man in the middle attack. The same way, the encryption key could be compromised when you paste it into the exporting end’s settings. Therefore, we generally suggest to synchronize data from local instances where you are not sending the data to the public internet when working on them. For example, if you are working on the sites through the “localhost” domain, your data is never sent through the public internet and therefore the encryption key also remains safe.

You can get free HTTPS certificates from Let's Encrypt. Please ask your hosting provider for more information on how to set them up. In case you have your own VPS or dedicated server, you can also contact us for setting it up for you for an additional fee.

Using HTTP Authentication

In case you want to add an additional layer of security to your instance, you can also use the HTTP authentication option that you are able to define for the synchronization targets. Generally this option is meant for situations where the target instance is behind HTTP authentication for other reasons (e.g. a company intranet service) but you are also able to set this layer up only for the synchronization endpoints.

First, you need to login to your remote server through SSH. Browse into your concrete5 instace's public root folder and generate the HTTP credentials file for storing the login information:

$ cd /home/youruser/public_html
$ htpasswd -c .htpasswd httpuser

You need to have a couple of packages installed on machine for the "htpasswd" command to be available. Installing those packages goes beyond this guide, please use Google for that.

The command will ask you the password for the new user that you later use to access the API endpoint.

After this, modify the .htaccess of your instance as follows:

# This is your .htaccess file
SetEnvIf Request_URI ^/(index.php/)?ccm/mainio_sync/api require_auth=true
# Or in case concrete5 has been installed in relative path:
#SetEnvIf Request_URI ^/rel_path/(index.php/)?ccm/mainio_sync/api require_auth=true

# Setup authentication
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/youruser/public_html/.htpasswd

# Setup a deny/allow
Order Deny,Allow
Deny from all
Satisfy any Require valid-user
Allow from env=!require_auth

Make sure to modify the paths in the code samples according to your environment. It would be also recommended not to store the ".htpasswd" file in your publicly accessible webroot folder if possible. For more security, that file should also only be accessible by the user that is responsible for handling the HTTP requests.

This example only authorizes the API endpoints while the rest of the site will remain accessible without providing HTTP credentials. In case you are using this method, please refer back to this documentation every time you update the add-on because we might change the endpoint addresses with the package updates.

After this, you should see an authorization error if you try to synchronize content with this instance without providing the HTTP authentication credentials.


Please continue to read other parts of the documentation:

  1. Using the Add-on
  2. Security
  3. FAQ / Possible Issues
  4. Programming Tips
  5. Additional Information