This article is part of the CakeDC Advent Calendar 2024 (December 20th 2024)
We all know the importance of security in our sites, so here we have 5 quick tips that can improve the security of your site quickly:
- Ensure all cookies are configured for security
- They say they are going away soon... but meanwhile... keep them secure. ALL the cookies produced in your site, unless you have very specific reasons, should be configured as Secure, HttpOnly, SameSite Strict. See https://book.cakephp.org/5/en/controllers/request-response.html#creating-cookies when creating cookies. Here's a code snippet for your session cookie:
// config/app.php
'Session' => [
// .. other configurations
'cookie' => 'CUSTOM_NAME_FOR_YOUR_SESSION_COOKIE',
'ini' => [
'session.cookie_secure' => true,
'session.cookie_httponly' => true,
'session.cookie_samesite' => 'Strict',
],
],- Audit your dependencies
- Both backend and frontend dependencies could be impacted by security issues. In the case of the backend, you can have a quick look by running
composer audit. In case of issues, you'll see an output similar to:
- Both backend and frontend dependencies could be impacted by security issues. In the case of the backend, you can have a quick look by running
$ composer audit
Found 7 security vulnerability advisories affecting 4 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package | composer/composer |
| CVE | CVE-2024-35241 |
| Title | Composer has a command injection via malicious git branch name |
| URL | https://github.com/advisories/GHSA-47f6-5gq3-vx9c |
| Affected versions | >=2.3,<2.7.7|>=2.0,<2.2.24 |
| Reported at | 2024-06-10T21:36:32+00:00 |
+-------------------+----------------------------------------------------------------------------------+- Use CSRF
- CSRF attacks https://owasp.org/www-community/attacks/csrf can be mitigated by using the CakePHP CSRF Middleware. Check your code, usually
/src/Application.phpfor the Middleware:
- CSRF attacks https://owasp.org/www-community/attacks/csrf can be mitigated by using the CakePHP CSRF Middleware. Check your code, usually
// in src/Application::middleware()
// Cross Site Request Forgery (CSRF) Protection Middleware
// https://book.cakephp.org/4/en/security/csrf.html#cross-site-request-forgery-csrf-middleware
->add(new CsrfProtectionMiddleware([
'httponly' => true,
]));
- Enforce HTTPS
- Ensure your live applications are enforcing HTTPS to prevent downgrading to HTTP. You can handle that in a number of ways, for example using your webserver configuration, or a Proxy. If you want to handle it via CakePHP builtins, add
// in src/Application::middleware()
->add(new HttpsEnforcerMiddleware([
'hsts' => [
'maxAge' => 10,
'includeSubDomains' => true,
'preload' => false, // use preload true when you are sure all subdomains are OK with HTTPS
],
]))- Implement security headers
- It's an additional layer of defense agains attacks, like XSS https://owasp.org/www-community/attacks/xss/ and others
// in src/Application::middleware()
$securityHeaders = (new SecurityHeadersMiddleware())
->setReferrerPolicy() // limit referrer info leaked
->setXFrameOptions() // mitigates clickjacking attacks
->noOpen() // don't save file in downloads auto
->noSniff(); // mitigates mime type sniffing
$middlewareQueue
// ...
->add($securityHeaders)
// ...This is just a quick example of 5 changes in code you could apply today to improve your CakePHP website security. Keep your projects safe!
This article is part of the CakeDC Advent Calendar 2024 (December 20th 2024)
