Security Problem with composer using allow_url_fopen


I am having trouble installing the application manually! the recommendation is to use composer to install the API However; composer uses/requires allow_url_fopen to operate which you have to provide access to thus opening up the server to abuse, this poses a security risk on a whole server as I am consistently reminded by security and firewall vendors.

Bottom line: I am against using composer on one site or any site for that matter that threatens the security of my server especially with GDPR in mind.

That said: I would really like to use ontraport? And

However according to your FAQ and community if I don’t use composer then it will not function properly without using composer. Additionally; there are dependencies involved that I will not get if installed manually.

on the one hand OAuth2 is supposed to be more secure, on the other I have to loosen the security on a server in order to use it fully? how is this right…

I use both zoho and ontraport without this problem.

Could anyone advise a way to install the ontraport API, either manually or automatically without this risk?


Hi Paul,

You mention Ontraport in your message, did you mean Infusionsoft?

Infusionsoft SDK can be downloaded from here:

Alternatively, you could use Composer on your local computer, and upload the software onto the server instead. No need to install Composer on the server.

Personally I do not use Composer either. If one of the Dependency Packages fails to get updated or major changes are done over time, then the software you are compiling will fail to work properly. It is like a house of cards in that respect.

Thank you for your reply… and exactly my thoughts.

apologies, yes, my APP uses ontraport and zoho… infusionsoft is another platform I wanted to add to the mix, but always prefer the hands on approach so I know exactly what is going on :laughing:

plus, the issue with security using composer in my mind using any compiler or library management tool on a public accessible machine is just asking for trouble there is enough stuff to secure (i.e. PHP/Perl/mail Etc.) without adding to the mix.

I did think of compiling it locally but then I would need to watch it constantly for dependencies to avoid the house of cards effect you mention.

There has to be (or hoping there was) a better way?

At present It’s looking like more work i.e. building a more secure way of doing this.

Alternatively you could use Novak SDK instead.

That maybe a better solution for you, but it is an unofficial SDK.

Thanks, will take a look at that one :slight_smile:

Hey Paul, seems like your question has already been answered? :slight_smile: Just wanted to share a useful web-site, too. I believe it can be of some help in case you have other issues with security or privacy: