Introduction
Security is very important for any web applications since the start of the internet. It does not mean that hackers do not have root access to the files on the server doesn't mean they cannot misuse or abuse the system.
phpRaise is built with high security in mind. Every element and component of the framework has been rigorously tested with malicious codes and methods, as well as every possible way of using the web application.
Measures
| Measure | Prevention | Description |
| Front Controller Pattern | URL Fuzzing | The use of Front Controller pattern prevents hackers from trying to sniff the files available on the server. Even if the attacker is able to figure out files on the server, the pages will not display any output without the Front Controller. |
| CSRF Protection | Cross Site Request Forgery | CSRF is usually done by POST requests where the POST data may not come from our own server. As such, built-in CSRF protection in phpRaise adds a special hidden field with a token value to all forms on the web page. This token will be validated whenever a POST request is made |
| XSS Protection | Cross Site Scripting | Cross Site Scripting is prevented by escaping attributes and values within RaiseUIControl and RaiseHtmlTag automatically. |
| Anti Session Fixation | Session Fixation | phpRaise offer anti fixation by allowing developers to regenerate a new Session ID for the user when changing authentication level (such as logging in or out). phpRaise also regenerates a new Session ID when the internal expiry hits. |
| Anti Session Hijacking | Session Hijacking | When the client first create a new session, the hash of its user agent (known as Session Signature) is saved into the session. On each session load, phpRaise will check whether the user agent sent by the client is the same as the one we have in the Session Signature. If it's different, we will create a new session for the attacker without fail. |
| Improved Session ID Generation | Session ID Prediction | It is known that built-in PHP session ID generation is predictable. phpRaise uses own ID generation to better generate unpredictable and longer session IDs for higher security. There is also 100% no session ID clashing between 2 different users. |
| Feature Limiting | Brute Force Attack & Denial of Service | Through the use of RaiseLimiter, web application can limit the resources delivered. In the case of brute force attacks, RaiseLimiter can be helped to limit the number of login for a particular account. This will prevent accounts from being hacked via brute force. In the case of denial of service, RaiseLimiter can reduce the exhaustion of resources on the web server. |