I'm building a web app and want to add some "decent" level of security. It's not the next generation bankingplatform so an overkill is not necessairy. However, I do want protection against your local neighbourhood hacker, since the app has an estimated use of 10k users.
To accomplish this, I'd figure I try Codeigniter. I'm not custom to this framework, so I'll only be using it for the "easier" security handling. Note that I'm not an expert in web security.
Basically, what I'll add/modify to my code is this:
Dealing with SQL-injection: using query binding.
Dealing with XSS: enabling it in the config file:
$config['global_xss_filtering'] = TRUE;. The docs say the the filter is run automatically every time it encounters POST or COOKIE data. How can I secure output like this (using codeingniter), than?$name = $_GET['name']; echo "Hi $name!";Dealing with CSRF: enabling it in the config file:
$config['csrf_protection'] = TRUE;Dealing with Session Hacks: using session like this:
$this->session->userdata('userid');
As I said, I'm no security expert, and thus I wonder whether or not these (and only these) modifications will give me an acceptable level off security or are there serious security threads that still require looking into?
Some other notes on my application:
- My app doesn't allow users to upload files to my server.
- The login is done by Facebook. On important pages, I validate the access token (wheter or not it's issued by my app, wheter or not it's issued for the current logged user, etc. If not, the page won't load), and permission/admin rights, so I assume the autorization and authentication part is secure enough.