// Security architecture and best practices for Klytos CMS. Use when dealing with authentication, encryption, access control, CSRF protection, rate limiting, security headers, HTTPS, or security hardening. Essential for secure development and understanding Klytos security model.
Guide for developing and maintaining Klytos CMS core. Use when modifying core files, adding MCP tools, fixing bugs, extending the core architecture, changing the build engine, modifying the installer, implementing hooks, or working with storage backends. Covers foundational principles (AI-first, privacy by design, security by default), architecture, boot sequence, manager pattern, MCP tool registration, and security checklist.
Complete guide for developing Klytos CMS plugins including structure, entry points, MCP tools, admin pages, hooks, routes, and best practices. Use when creating, modifying, extending Klytos functionality, adding MCP tools, admin pages, hooks, filters, or debugging plugins.
Complete reference of CSS design tokens, component classes, utility classes, and frontend styling in Klytos CMS. Use when building content, plugins, or admin templates that need consistent styling without hardcoding colors or writing custom CSS.
Guide for creating custom page templates, template parts, hook points, reusable blocks, and page template recipes in Klytos CMS. Use when creating new page layout templates, customizing template parts, adding frontend hook points, defining reusable blocks with slots, or building page template recipes combining multiple blocks.
Complete reference of all hooks (actions and filters) available in Klytos CMS for intercepting and extending functionality. Use when hooking into Klytos events, modifying behavior through filters, adding custom behavior at lifecycle points, or understanding the hook system and priorities.
Reference of all global helper functions available in Klytos CMS. Use when developing plugins, extending the CMS, accessing core services, checking permissions, generating URLs, logging messages, or calling any klytos_* global function from PHP code.
| name | klytos-security-architecture |
| description | Security architecture and best practices for Klytos CMS. Use when dealing with authentication, encryption, access control, CSRF protection, rate limiting, security headers, HTTPS, or security hardening. Essential for secure development and understanding Klytos security model. |
CRITICAL: The admin panel URL is SECRET. It must NEVER be discoverable from the public-facing site.
/ ← Web root (public-facing)
├── index.html ← Redirect or landing page
├── assets/ ← Public assets (CSS, JS, images, fonts)
│ ├── css/
│ ├── js/
│ ├── images/
│ └── fonts/
├── sitemap.xml ← Search engine sitemap
├── robots.txt ← Crawler directives
├── llms.txt ← AI indexing summary
├── llms-full.txt ← AI indexing full content
│
└── {random-admin-name}/ ← SECRET admin directory (e.g. "x7k9m2-panel")
├── .htaccess ← Routes all requests, blocks sensitive dirs
├── index.php ← Front controller
├── install.php ← Installer (renamed after use)
├── t.php ← Analytics pixel
├── config/ ← BLOCKED by .htaccess
├── core/ ← BLOCKED by .htaccess
├── data/ ← BLOCKED by .htaccess
├── backups/ ← BLOCKED by .htaccess
├── plugins/ ← PHP blocked, assets allowed
├── admin/ ← Admin panel (requires auth)
├── public/ ← Generated static site (served via .htaccess)
└── templates/ ← HTML templates (BLOCKED)
No admin URL leaks: Generated HTML pages NEVER contain references to the admin URL.
<meta name="generator"> says "Klytos" but NOT the admin path.Public assets are separate: CSS, JS, images, and fonts for the public site
live in /assets/ at the web root, NOT inside the admin directory.
Build output goes to root: The build engine writes HTML pages to the web root
and assets to /assets/. The admin directory is never exposed.
Admin URL is configured during installation: The directory name is chosen by the user or auto-generated. It should be random and non-guessable.
random_bytes(32) (CSPRNG).config/.encryption_key with chmod 0600.Encryption::rotateKey().The site admin chooses an encryption level during installation. It determines which data is encrypted at rest:
| Level | What is encrypted |
|---|---|
| Basic | System config only (config.json.enc, license, AI keys, MCP tokens) |
| Medium | + Users, audit logs, sessions, chats, 2FA (GDPR-relevant data) |
| Professional | + ALL data (pages, blocks, templates, theme, menus, forms, logs, etc.) |
The level can be changed bidirectionally from Settings > Security (requires re-auth).
Plugins declare the sensitivity of their options via klytos_register_option(). This provides per-option encryption control independent of the site-wide encryption level:
| Sensitivity | Encrypted at | Example |
|---|---|---|
true | Always (all levels) | API keys, tokens, webhook secrets |
'user_data' | Medium + Professional | Emails, IPs, personal data (GDPR) |
false (default) | Professional only | Colors, toggles, non-sensitive settings |
klytos_register_option('my-plugin.stripe_key', true); // Always encrypted
klytos_register_option('my-plugin.user_email', 'user_data'); // Encrypted from medium
klytos_register_option('my-plugin.color', false); // Only at professional
config/admin-identity.pub.enc (encrypted with AES).config/admin-identity.priv.enc (encrypted with AES).klytos-identity.pem — downloaded during installation, used with klytos-encryption.key for emergency access recovery via the unified installer.Order of authentication in token-auth.php:
Authorization: Bearer <token> → tokens.json.encAuthorization: Bearer <token> → oauth_tokens.json.encAuthorization: Basic base64(user:pass) → app_passwords.json.enc$auth->validateCsrf($token).X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: [with nonce support]
Permissions-Policy: camera=(), microphone=(), geolocation=()
Blocks direct access to:
config/ (encryption keys, credentials)core/ (PHP source code)data/ (encrypted data files)backups/ (backup archives)templates/ (HTML templates).enc files (encrypted data).encryption_key (master key).install.lock (installation lock)VERSION fileEvery significant action is logged with:
Retention: 90 days (configurable), auto-pruned by CronManager.