-
-
Notifications
You must be signed in to change notification settings - Fork 6
Security
Greg Bowler edited this page Sep 4, 2018
·
7 revisions
- Use SSL to prevent man in the middle attacks (MITM). Serving an application over HTTP is wicked.
- Web servers should have their document root set to a nested directory of the application source. This prevents badly configured web servers from accidentally serving source code. WebEngine uses the
www/
directory for this.
- Generate and validate a random token for every form submission, preventing cross-site request forgery (CSRF). WebEngine automatically handles CSRF by default.
- Prevent all user input from being read by third party code without consent. WebEngine has protected superglobals and encrypted sensitive fields for this reason.
- Wherever possible, use an existing authentication mechanism. The perfect solution is never to handle usernames and passwords. PHP.Gt has a planned authentication mechanism in development to handle authentication for its applications.
- Use OAuth wherever possible.
- Validate OAuth fields to whitelist services.
- Never user HTTP Basic Auth.
- Use account locking or shadow banning for authentication abuse.
- Log all authentication for auditing.
Website | Packagist | CircleCI | Scrutinizer
- Request-response lifecycle
- Running your application
- Project layout
- Application architecture
- Web servers
- URIs
- Page view
- Dynamic URIs and pages
- Headers and footers
- Page logic
- Protected globals
- User input
- Cookies
- Sessions
- DOM manipulation
- Custom HTML components
- DOM templates
- Binding data to the DOM
- Database
- Client side assets
- API Webservices
- Security
- Configuration
- Build system
- Coding styleguide