Geek Answers Handbook

What makes CakePHP safe and how can we increase its security?

Now I'm learning about the structure of CakePHP, and I just wanted to know what makes CakePHP safe. How secure are its components, for example, how secure is the authentication component. Also, what can we do as developers to increase the security of our core CakePHP web application?

Also do you guys recommend any books or sites to learn more about CakePHP security?

Hope to hear from you guys soon. Thanks

+7
security php web-applications cakephp
source share
4 answers

Cake follows best practices in many areas and has fairly secure tools built in , with an infrastructure that already has many typical webapp security areas. You do not need to worry about SQL injection, for example, since the abstraction of the Cake database escapes all the input. If this is not the case, the guide warns you :

updateAll(array $fields, array $conditions)

! The $ fields array accepts SQL expressions. Literal values ​​must be specified manually.

Using SecurityComponent, you get automatic protection against form spoofing.
Data validation is a large integrated part of the models.
The original AuthComponent hashes and password salts are correct , although this is not necessarily as secure as possible.
There is a convenient h() shortcut for htmlentities , which you should use to exit the output to avoid problems with XSS.
Et cetera perge perge ...

You still have to use all the components correctly, and be careful not to open any “custom” holes. A cake is just a toolbox, but you can still create a terribly unsafe application that uses it. You can still shoot in the foot, no matter how good the gun is. The default Cake structure is just a starting point. This is not the end for everyone in terms of security; think for yourself. The link provided by John is a really good starting point.

+5
source share

Leo: Some sites do not need high levels of security, and they can give a hit performance. Others must be inviolable.

Sorry, Leo, but I do not agree. Each site that you build, you do it with the utmost care in security. Regardless of the type of site. Suppose, for example, you created this very tough site for hacker soundframes. You host it on a shared server and guess that .. Someone got access to your secure site through an opening in your less secure location. Or even the whole server.

I know this is a theory of fate, but I believe that such things happen on a daily basis.

+6
source share

The CakePHP framework has been around for quite some time (since 2005) and is open source software. This means that its code is available for viewing by any developer or non-developer who wants to do this. The CakePHP and security communities had plenty of time to research the code base and find / fix potential security issues. This does not mean that the software is ideal, but with CakePHP, which is so popular, you can bet that it has been examined quite carefully, and if there are any flaws, they are deep and very difficult to find / identify.

But keep in mind, just because the code is safe within the security framework does not mean that using it makes your code secure. You still need to follow the rules of secure coding, because your code base may be vulnerable regardless of the security level of the structure used.

+4
source share

Cake security is pretty good, but everyone has holes. For an ultra secure site, I will investigate known security holes and errors and check the site for these cases. This is simply not enough to rely on someone else's expression about the degree of security.

Some sites do not need a high level of security, and they can give a performance hit. Others must be inviolable.

All of the above, I am impressed with the Cake embedded system and should not have modified it.

+2
source share

More articles:


All Articles