Documentation / Getting Started / Security Configuration

Security Configuration

📅 Updated: May 31, 2025
👤 Author: LebCit
⏱️ Reading time:
On this page

⚠️ Important Security Notice

Your Aether CMS installation uses a default cookie signing key that must be changed if you're running Aether on a server accessible to others. This key is used to secure user authentication cookies and protect against session hijacking.

When this is critical:

  • Running Aether on a web server (production, staging, or shared hosting)
  • Multiple users accessing the CMS
  • Any network-accessible installation

When this can be skipped:

  • Using Aether locally only to generate static sites
  • Single-user local development with the built-in static generator
  • No network access to your Aether instance

Current Configuration

In core/app.js, you'll find this line:

const signedCookies = app.createSignedCookies("your-strong-secret-key-here")

This default key must be changed immediately for security.

How to Secure Your Installation

Step 1: Create a .env File

Create a .env file in your project root directory (same level as index.js):

# .env
COOKIE_SECRET="your-very-strong-random-secret-key-here-make-it-long-and-unique"

Step 2: Update core/app.js

Replace the hardcoded key with the environment variable:

// Before (insecure)
const signedCookies = app.createSignedCookies("your-strong-secret-key-here")

// After (secure)
const signedCookies = app.createSignedCookies(process.env.COOKIE_SECRET || "fallback-key-for-development")

Step 3: Generate a Strong Secret Key

Your secret key should be:

  • At least 32 characters long
  • Randomly generated
  • Unique to your installation

You can generate one using:

On macOS/Linux:

openssl rand -base64 32

Online generators:

Example strong key:

COOKIE_SECRET="K8mN9pQ2rS5tU7vW0xY3zA6bC9dF2gH5jK8mN1pQ4rS7tU0vW3xY6zA9bC2dF5gH"

Security Best Practices

  1. Never commit your .env file to version control

    • Add .env to your .gitignore file

  2. Use different keys for different environments

    • Development, staging, and production should have unique keys

  3. Rotate keys periodically

    • Consider changing the key every 6-12 months
    • Note: Changing the key will log out all existing users

  4. Keep your key secret

    • Don't share it in chat, email, or documentation
    • Store it securely (password manager, secure notes)

What This Key Protects

  • User authentication sessions - Prevents session hijacking
  • Admin access tokens - Protects your CMS admin interface
  • Cookie integrity - Ensures cookies haven't been tampered with
  • User data security - Maintains the security boundary of your application

Troubleshooting

If you see authentication issues after changing the key:

  • All users will be logged out (this is expected)
  • Clear your browser cookies for the site
  • Have users log in again with their credentials

If the environment variable isn't loading:

  • Ensure your .env file is in the project root
  • Restart your application after making changes

Example Complete Setup

1. Create .env file:

COOKIE_SECRET="your-generated-secret-key-here"
PORT=8080

2. Update core/app.js:

// Create signed cookies utility with environment variable
const signedCookies = app.createSignedCookies(process.env.COOKIE_SECRET || "development-only-fallback-key")

3. Verify .gitignore includes:

.env
🚨
Remember: This is a critical security step for server installations, shared hosting, and multi-user setups. A compromised cookie secret can lead to unauthorized access to your CMS and user accounts.