Chapter 8. Security
Knowledge is power. Guard it well.
WHAT'S IN THIS CHAPTER?
Setting secure SSL connections
Defending against XSS injection attacks
Securing forms against CSRF session hijacking
Security enforcement is one of the best things that frameworks have to offer. While basic functionalities of a web application are mostly straightforward and obvious, proper dealing with security takes a lot of work and knowledge. This is also very responsible work. When you mess up something trivial like mailing, this error shows right away, and you can fix it before the application is launched. On the contrary, when there is a hole in security, it remains completely unseen until somebody exploits it; then the damage may be catastrophic.
When you are an inexperienced programmer, frameworks do a great job of taking care of the best security practices for you. If you are a professional, they are still valuable because they save you from writing a lot of not really exciting fragments of code. This chapter takes a closer look at various security problems like setting safe HTTPS connections that allow sending vulnerable data. Next we'll show how to defend against a cross-site scripting (XSS) attack that injects malicious code into a website, and a cross-site request forgery (CSRF) that hijacks the security context of an inconspicuous user.
SETTING SECURE CONNECTIONS
In most cases, sending unsecured data is a normal behavior, but when an application has more to do with ...
Get Building PHP Applications with Symfony™, CakePHP, and Zend® Framework now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.