Security
Basic Authentication
BasicAuth is an authentication scheme built into the HTTP protocol. As long as the client transmits its data over HTTPS, it’s a secure authentication mechanism.
Authorization: Basic YXBpLXVzZXI6c2VjcmV0
The tuupola/slim-basic-auth package implements HTTP Basic Authentication.
- Basic Authentication (Slim 4 - eBook Vol. 1)
OAuth 2.0
For authorization, you could consider to use OAuth 2.0 in combination with a signed JSON Web Token.
The JWTs can be used as OAuth 2.0 Bearer-Tokens to encode all relevant parts of an access token into the access token itself instead of having to store them in a database.
Please note: OAuth 2.0 is not an authentication protocol.
Clients may use the HTTP Basic authentication scheme, as defined in RFC2617, to authenticate with the server.
After successful authentication, the client sends its token within the Authorization
request header:
Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia
The lcobucci/jwt and firebase/php-jwt packages are a very good tools to work with JSON Web Tokens.
- Firebase JWT (Slim 4 - eBook Vol. 2)
- Mezzio OAuth2 Server (Slim 4 - eBook Vol. 2)
- JSON Web Token (JWT) (Slim 4 - eBook Vol. 1)
- OAuth Libraries for PHP
- Auth0 PHP SDK
- Stop using JWT for sessions
- Swagger - OAuth 2.0
Cross-site Request Forgery (CSRF) Protection
Cross-site request forgery (CSRF) is a web security vulnerability that tricks a victim’s browser into performing unwanted actions on a web application where the user is authenticated, without their knowledge or consent.
- CSRF (Slim 4 - eBook Vol. 2)
- Slim Framework CSRF Protection
SameSite Cookies can be used for security purposes to prevent CSRF attacks, by controlling whether cookies are sent along with cross-site requests, thereby limiting the risk of third-party interference with the intended functioning of web applications.
- SameSite Cookies (Slim 4 - eBook Vol. 2)
- selective/samesite-cookie
Cross-Origin Resource Sharing (CORS)
Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers that controls how web pages in one domain can request resources from another domain, aiming to safely enable interactions between different origins.
- Setting up CORS
- CORS (Slim 4 - eBook Vol. 1)
- middlewares/cors
Cross Site Scripting (XSS) Prevention
Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.
To prevent XSS you can use an Auto-Escaping Template System such as Twig or by using libraries that are specifically designed to sanitize HTML input:
- laminas/laminas-escaper
- Cross Site Scripting Prevention Cheat Sheet
- Cross-site Scripting (XSS)
- XSS - Cross-site Scripting Protection (Slim 4 - eBook Vol. 3)
More Resources
- Mezzio OAuth2 Server (Slim 4 - eBook Vol. 2)
- PHP Middleware
- middlewares/firewall
- PSR-15 HTTP Middlewares
- Shieldon - Web Application Firewall (Slim 4 - eBook Vol. 3)
- Spam Protection (Slim 4 - eBook Vol. 1)
- Symfony Rate Limiter (Slim 4 - eBook Vol. 2)
- XSS - Cross-site Scripting Protection (Slim 4 - eBook Vol. 3)