PHP Security Tip #14
by Cal Evans (editor)
|
2 comments | Wednesday, March 21, 2007
Almost any application running PHP on the back-end uses web technologies for it’s front end. Many developers who think hard on PHP security, don’t spend a thought on front-end security for their application. Here’s a tip to think long and hard about when building your HTML and JavaScript.
Any data inside of a cookie can be potentially seen by others- restrict to a minimum
It’s a sad fact on today’s web but there are bad people out there. They want nothing more than for your application to leak sensitive data so they can exploit it. Make sure you look at the whole picture when evaluating the security of your application. This is very important when looking at what information you persist on the front end.
Comments
Perhaps, instead of many small tips that are hard to remember, we would provide some simple principles that can help secure anything, not just PHP/HTML/Javascript? A good understanding of the architecture of a online session with a web application could help one to think of his security more.
Thank you for the devzone. I wish it can grow as big as a MDSN for PHP. :-)
Hi Tim,
First, thanks for posting.
Yes, in many cases, the tips are short, especially, of late since we quickly ran through the obvious ones. However, the concepts they express are no less important.
Take for example, this one you responded to. It’s not a concept that can easily be expressed in code that is meaningful. The idea is only meaningful when you are working on your front end code. I could have shown some sample code that set a cookie with someone’s full name and address and put the word BAD above it in bold letters but I felt everyone could see that already.
My hope is that people see these tips as a quick way to start their days that will remind them to look for ways to secure their code during the day.
=C=