Good security practices in CakePHP
I want to be sure I'm not missing any good security practice, so I ask you.
1) First, I should protect myself against SQL injection (this should be automatic provided I use Cake methods)
2) Then I should use Saanitize::html() on user input which will be displayed, to avoid XSS
3) I should also be sure that no bad people are messing with my forms (removing fields and so on). This should be automatic if I use the Security component. Or I can just set required='true' on the expected fields, and use the $fieldList parameter of the method save() to decide which fields to accept, and ignore the rest
4) In all actions like login(), I should check if the user is already authenticated, and in case redirect him somewhere else. This in order to avoid session fixation. (by the way, is this really necessary or some CakePHP automagic prevents against this kind of attack?)
5) I should use Security->RequirePost() on actions which expect POST data
6) If I am paranoid I may also set Security->allowedActions and security->allowedControllers to be sure that the data submitted comes from the expected controller and action
7) If the application is going to run on a shared host, I may want to tell CakePHP to save sessions data in app/tmp or even better in the database. Otherwise ohter people on the same server will be able to read them (depending on the settings of the shared host).
What more? Have I forgotten something?
Similar entries
- CakePHP: using Security::allowedControllers and Security::allowedActions
- CakePHP 1.2 RC2 + Security Component
- Using the Security Component in CakePHP for SSL
- Protecting your forms with the Security Component
- cakephp form getting spammed - how?
- A More Secure Way to Transfer Session State Between CakePHP Applications
- CakePHP 1.26: Bug in 'Security' component?
- Access Control Lists (ACLs) Part 3
- Sharing Session State Across CakePHP Applications
- Validation in cakephp
Popular content
Today's:
All time:
