-
-
Notifications
You must be signed in to change notification settings - Fork 5
Security
WebEngine helps with a number of sensible defaults, but no framework removes the need for secure engineering. Security is an ongoing part of the work, not a one-time setting.
The main areas to keep in view are:
- CSRF protection
- session and cookie safety
- input validation
- output handling
- secrets and configuration
- server configuration
These are not separate from ordinary application work. They are part of it.
WebEngine already gives us some useful pieces:
- protected globals to reduce accidental request-data leakage
- structured input handling instead of raw superglobals
- a request lifecycle that keeps the entry points predictable
- built-in support for secure patterns such as CSRF protection
If you want the CSRF component details, those are documented at https://www.php.gt/docs/Csrf/Home/.
Common mistakes include leaving debug features enabled in production, trusting raw user input, binding HTML when plain text would be safer, and mixing sensitive logic into page views.
It is also worth treating server configuration as part of application security. A perfectly written page is not much help if the wrong files are publicly reachable.
In the reference chapter, we will cover the gt commands.
- File-based routing
- Page views
- Page logic
- Dynamic URIs
- Headers and footers
- Custom HTML components
- Page partials
- Binding data to the DOM
- DOM manipulation
- Hello You tutorial
- Todo list tutorial
- Address book tutorial WIP
- Blueprints
- Application architecture
- Coding styleguide WIP
- PHP environment setup WIP
- Web servers WIP
- Background cron tasks
- Database setup WIP
- Client-side compilation WIP
- Testing WebEngine applications WIP
- Production checklist WIP
- Security WIP