-
-
Notifications
You must be signed in to change notification settings - Fork 6
Security
Greg Bowler edited this page Oct 16, 2019
·
7 revisions
While WebEngine aims to help get applications set up on the right path, security on the web is always a battle. The reality is that no application will ever be developed to be 100% secure. Here is a checklist of security considerations that are worth following when developing any web application:
Note: this list is work-in-progress. Please feel free to add to it by editing the Github Wiki.
- Use SSL to prevent man in the middle (MITM) attacks, amongst many other attacks. Serving an application over HTTP is wicked.
- Web servers should have their document root set to a nested directory of the application source. This prevents badly configured web servers from accidentally serving source code. WebEngine uses the
www/
directory for this. - Separate code from the view to prevent accidentally leaking information to the user. WebEngine uses Page View and Page Logic to isolate HTML from PHP.
- Use a gateway or content delivery service to prevent denial of service (DoS) attacks.
- Turn off debugging and verbose logging in production.
- Never expose auto-increment IDs to users, to prevent guessing other IDs, use a UUID instead.
- Always send the correct Content-Type, Frame-Options and Content-Security-Policy headers.
- Generate and validate a random token for every form submission, preventing cross-site request forgery (CSRF). WebEngine automatically handles CSRF by default.
- Prevent user input from being read by third party code without consent. WebEngine has protected globals and encrypted sensitive fields for this reason.
- Upload files to a CDN first.
- Wherever possible, use an existing authentication mechanism. The perfect solution is never to handle usernames and passwords. PHP.Gt has a planned authentication mechanism in development to handle authentication for its applications.
- Use OAuth wherever possible.
- Validate OAuth fields to whitelist services.
- Never user HTTP Basic Auth.
- Use account locking or shadow banning for authentication abuse.
- Log all authentication for auditing.
Website | Packagist | CircleCI | Scrutinizer
- Request-response lifecycle
- Running your application
- Project layout
- Application architecture
- Web servers
- URIs
- Page view
- Dynamic URIs and pages
- Headers and footers
- Page logic
- Protected globals
- User input
- Cookies
- Sessions
- DOM manipulation
- Custom HTML components
- DOM templates
- Binding data to the DOM
- Database
- Client side assets
- API Webservices
- Security
- Configuration
- Build system
- Coding styleguide