Security - PhpGt/WebEngine GitHub Wiki

While WebEngine aims to help get applications set up on the right path, security on the web is always a battle. The reality is that no application will ever be developed to be 100% secure. Here is a checklist of security considerations that are worth following when developing any web application:

Note: this list is work-in-progress. Please feel free to add to it by editing the Github Wiki.

General security considerations

  • Use SSL to prevent man in the middle (MITM) attacks, amongst many other attacks. Serving an application over HTTP is wicked.
  • Web servers should have their document root set to a nested directory of the application source. This prevents badly configured web servers from accidentally serving source code. WebEngine uses the www/ directory for this.
  • Separate code from the view to prevent accidentally leaking information to the user. WebEngine uses Page View and Page Logic to isolate HTML from PHP.
  • Use a gateway or content delivery service to prevent denial of service (DoS) attacks.
  • Turn off debugging and verbose logging in production.
  • Never expose auto-increment IDs to users, to prevent guessing other IDs, use a UUID instead.
  • Always send the correct Content-Type, Frame-Options and Content-Security-Policy headers.

User input

  • Generate and validate a random token for every form submission, preventing cross-site request forgery (CSRF). WebEngine automatically handles CSRF by default.
  • Prevent user input from being read by third party code without consent. WebEngine has protected globals and encrypted sensitive fields for this reason.
  • Upload files to a CDN first.

Authentication

  • Wherever possible, use an existing authentication mechanism. The perfect solution is never to handle usernames and passwords. PHP.Gt has a planned authentication mechanism in development to handle authentication for its applications.
  • Use OAuth wherever possible.
  • Validate OAuth fields to whitelist services.
  • Never user HTTP Basic Auth.
  • Use account locking or shadow banning for authentication abuse.
  • Log all authentication for auditing.