Greetings, fellow web developers! As we wield our PHP superpowers to create amazing web applications, we must remember the mighty responsibility of keeping them secure. While we all know about the basic security tricks like input validation and escaping, I’m here to share some rare gems of wisdom that will make your PHP applications almost as impenetrable as a fortress (with a touch of humor, of course!).

1. Embrace the Content Security Policy (CSP) Shield

You know those pesky cross-site scripting (XSS) attacks? Fear not! By activating the Content Security Policy (CSP) shield, you’ll stop those bad scripts right in their tracks. It’s like putting up a “No Entry for Malicious Scripts” sign. The CSP header lets you decide which content sources are safe to load, leaving the hackers scratching their heads in confusion.

2. Say “HSTS Activate!” for HTTPS Awesomeness

Picture this: you say “HSTS Activate!” (not really, but you get the idea) and your website becomes an impenetrable fortress against man-in-the-middle attacks. Enabling HTTP Strict Transport Security (HSTS) ensures that your visitors only communicate with your site over a secure HTTPS connection. No sneaky downgrades to unencrypted territory allowed!

3. Rotate Your Session IDs – The Security Spin Dance

Remember those precious sessions you cherish? Well, it’s time for a spin dance! Regularly monitor and rotate session IDs to fend off session fixation attacks. It’s like changing the lock on your front door to keep out unwanted intruders. Plus, adding a timeout mechanism ensures idle sessions get kicked out after a well-deserved break.

4. Show Some Love to Prepared Statements

Oh, SQL injection attacks, you thought you could get away with it? Not on our watch! We’ve got prepared statements and parameterized queries, the dynamic duo that shields our databases from sneaky hackers. These dynamic defenders ensure that malicious code can’t worm its way into our precious data.

5. Data Whitelisting – The Guest List for Your App

If your app were throwing a party, data whitelisting would be the VIP guest list. Only invited, expected data gets through the door, keeping out unwanted party crashers. This extra layer of security means only the right data gets to dance on your application’s stage.

6. Quiet on Set – Disable PHP Error Reporting

During the development stage, we love PHP error reporting; it’s like having a helpful assistant pointing out every little mistake. But when it comes to the big show, aka the production server, we need to keep things hush-hush. Let’s log those errors instead of spilling our secrets to potential troublemakers.

7. Call in Reinforcements: Security Libraries and Frameworks

Why do all the security work yourself when you can call in the big guns? Security libraries and frameworks are like the Avengers of web development. With PHP Security Advisories Database (PHP-SAD) and the PHP Security Project on your side, you’ll always know when there’s a new threat lurking around.

As we wrap up our journey into the realm of uncommon security tips for PHP developers, remember to laugh along the way. Security doesn’t have to be all serious and stern. By adopting these rare security gems, you’ll fortify your PHP superpowers, creating safer and more reliable applications for your users. So go forth and kick some ass!

We all want or have that friend that will tell us when we have spinach in our teeth. You know, the type that pulls us to the side and says it… this isn’t to be confused for the type that says it at the least opportune time in front of your bosses’ boss but that story is for another time. We all have nightmares okay?

Back to the topic of this blog though… I have a friend who has my back in a way like no other – it tells me that some filthy entity has tampered with my beautiful code and saves my butt quite often.

Okay, backstory time:

Clients sometimes like to engage in what I like to call the event horizon guarantee.

That means, I ensure that everything is rotating around the black hole in a steady balance for x amount of time. If any variable in their environment changes, my guarantee either needs to account for this or will be void (should a third party /developer tamper with the code and ‘break’ the system). This of course, does not include security issues that result from a bug that I should have addressed.

It’s important to safeguard ourselves and clients by providing comprehensive agreements prior to project commencement so the stakes are clear.

This is where generating a checksum for your code comes in. I use this method in every project and you should too!(infact it should be one of multiple ways you check your code’s integrity).

$mychecksum = md5_file($codefilepath);

And that’s it, save this, automate your processes, and boom! one more way to be more secure.

Ok, I’ve been more concerned than usual recently. The era of technological advancements at breakneck speeds is upon us and with that comes a plethora of security holes and probably exploitation.

The growing need for advancement in our response and regular ‘housekeeping’ on our digital platforms (and even with digital assets) is abundantly clear.

Over the course of the next few weeks, I will post about general do’s and don’ts and how to safeguard against what’s to come.

Gear up- it’s going to be an awesome, bumpy ride.

In the interim, here are my top 10 security tips for site owners:

1. Keep software and web applications up-to-date: Ensure that all software, including content management systems (CMS) and plugins, are updated regularly to avoid vulnerabilities.
2. Implement strong passwords: Use strong passwords and encourage users to do the same. Passwords should be complex, unique, and changed regularly.
3. Enable two-factor authentication: Two-factor authentication adds an additional layer of security and requires users to provide a second factor of authentication in addition to a password.
4. Secure data transmissions: Use secure protocols (e.g. HTTPS) to encrypt data transmissions to and from the website, especially for sensitive information such as login credentials and payment details.
5. Regularly backup website data: Back up your website regularly and keep the backup in a secure location to avoid data loss in case of a security breach or website outage.
6. Protect against malware: Install antivirus software and firewalls to protect against malware and other malicious attacks. Regularly scan the website for malware and vulnerabilities.
7. Control access: Limit access to sensitive areas of the website, such as the admin panel, to authorized personnel only.
8. Monitor website activity: Regularly monitor website activity for signs of suspicious behavior, such as unusual login attempts or file modifications.
9. Implement website security policies: Establish clear website security policies and procedures for users, such as password policies, email security, and file upload guidelines.
10. Educate users: Educate users on website security best practices, such as avoiding phishing scams, securing their devices, and reporting suspicious activity.

If you need pointers, you know where to reach me, comment below or @ me on Twitter