Security
Yabasi framework provides robust security features to help protect your application against common web vulnerabilities. This section covers the key security components and best practices.
CSRF Protection
Cross-Site Request Forgery (CSRF) protection is built into Yabasi to prevent unauthorized commands from being transmitted from a user that the web application trusts.
Generating CSRF Tokens
use Yabasi\Security\CsrfProtection;
$csrfProtection = new CsrfProtection($session);
$token = $csrfProtection->generateToken();
Validating CSRF Tokens
public function handle(Request $request, Closure $next): Response
{
$token = $this->csrfProtection->getTokenFromRequest($request);
if (!$token || !$this->csrfProtection->validateToken($token)) {
return new Response('CSRF token mismatch', 403);
}
return $next($request);
}
XSS Protection
Yabasi includes built-in protection against Cross-Site Scripting (XSS) attacks by automatically escaping output.
$userInput = "<script>alert('XSS');</script>";
$cleanInput = XssProtection::clean($userInput);
// Output: <script>alert('XSS');</script>
Session Security
Yabasi provides robust session security features to protect against session hijacking and fixation attacks.
Secure Session Configuration
SecurityHandler::setSecureCookieParams();
SecurityHandler::preventSessionFixation();
Session Validation
$securityHandler = new SecurityHandler();
if (!$securityHandler->validateSession()) {
// Session is invalid, handle accordingly
$session->regenerate();
}
Password Hashing
Yabasi uses secure password hashing by default when working with user models.
public function setPassword($value): void
{
$this->attributes['password'] = password_hash($value, PASSWORD_DEFAULT);
}
Database Security
Yabasi uses prepared statements to prevent SQL injection attacks.
$users = User::query()
->where('email', '=', $email)
->get();
API Security
For API security, Yabasi includes rate limiting to prevent abuse.