Security
WebEngine helps with a number of sensible defaults, but no framework removes the need for secure engineering. Security is an ongoing part of the work, not a one-time setting.
Areas to cover
The main areas to keep in view are:
- CSRF protection
- session and cookie safety
- input validation
- output handling
- secrets and configuration
- server configuration
These are not separate from ordinary application work. They are part of it.
WebEngine-specific safety features
WebEngine already gives us some useful pieces:
- protected globals to reduce accidental request-data leakage
- structured input handling instead of raw superglobals
- a request lifecycle that keeps the entry points predictable
- built-in support for secure patterns such as CSRF protection
If you want the CSRF component details, those are documented at https://www.php.gt/docs/Csrf/Home/.
Common mistakes to avoid
Common mistakes include leaving debug features enabled in production, trusting raw user input, binding HTML when plain text would be safer, and mixing sensitive logic into page views.
It is also worth treating server configuration as part of application security. A perfectly written page is not much help if the wrong files are publicly reachable.
In the reference chapter, we will cover the gt commands.