Security

Payments

Since the heavy lifting of handling the payments is 100% under the control of Stripe and happening on their webservers there are no real concerns to be found here.

HTTPS / SSL

Having said that, your production server should be secured with an SSL certificate, and all traffic and assets should be served over HTTPS.

Server Config

While Kirby provides you with a basic .htaccess file, I would recommend adding a few more rules to improve the security and performance of both Apache and Nginx.

Content Security Policy Headers (CSP)

Whether you intend to include scripts, images or iframes from external sources or not, I highly recommend setting up a tight CSP for them. Only allow what you need and block everything else. My security headers plugin comes with sensible defaults and some tips on how to get started defining rules.

Last but not least, debug = false

The official Kirby CMS docs have a worthwhile guide on how to make your Kirby installation even more secure. Be sure to check it out.

One topic is deactivating the debug mode. I achieve this by explicitly turning it off globally and only turning it on for local development.

site/config/config.php
<?php

return [
    'debug' => false,
    'session' => ['cookieName' => 'session'],
    'yaml.handler' => 'symfony', // future-proof
    // other options
];
site/config/config.example.test.php
<?php

return [
    'cache' => ['pages' => ['active' => false]],
    'content' => ['locking' => false],
    'debug' => true,
    'editor' => 'vscode',
    // other options
];
site/config/config.www.example.com.php
<?php

return [
    // 'cache' => ['pages' => ['active' => true]], // depends
    'debug' => false, // double-tap to be sure
    'panel' => ['install' => false], // double-tap to be sure
    'url' => 'https://www.example.com', // enforce https and www
    // other options
];
Kirby Klub is not affiliated with the developers of Kirby CMS. We are merely standing on the shoulder of giants.
© 2025 Bruno Meilick All rights reserved.