Tutorials Support > Tutorials? > Security

     Adding the kind of forms processing power available in ZAP to your site calls for careful security measures. Though ZAP automatically disables PmWiki directives and malicious php code in form submissions, and provides tough forged header protection--there are a few additional things you can do to tighten ZAP security. Here is a brief overview:

1) Limit where ZAP is enabled.
     ZAP should ONLY be enabled on pages where trusted users have edit privileges. For added security, you can also limit ZAP modules to specific groups/pages by only including them where needed. (Another option is to use the ZAP Config page to limit where various extensions can be used).

2) Set Forms Permissions.
     ZAP creates a special "forms" permission level in your attribute pages, which allows you to control who can submit a ZAP form. By default, this is set to allow any page visitor to submit a form. You can however change the level to "id:*" (any authenticated user), or limit it to specific members, passwords, or groups. You can even change the permission level required for different groups and pages. Just edit the appropriate group or page attributes.

3) Use ZAP input.
     Wherever possible, use the (:zap field="value":) markup for passing commands and data to the ZAP engine. This passes the information to the engine as a SESSION variable rather than a POST variable--and it cannot be overwritten. Most commands MUST be submitted using this format.

4) Protect Data.
     Finally, because text variables can be retrieved so easily, you should read protect pages/groups with sensitive data. If you wish to leave these pages readable, but not editable, be sure to protect data values from users using PmWiki's action=source and action=edit command. The following lines in your config file will take care of this:

       $HandleAuth['source'] = 'admin';        $HandleAuth['diff'] = 'admin';

Congratulations! You have just completed my basic introduction to ZAP!