Would be nice to get a quick cheatsheet together with two columns: column A: Security Risk column B: Best Practise (using cake).
I'll offer a tentative start (humbly, but realistically, admitting I am not expert enough to rely on). Security risks (column A): 1. SQL injection 2. XSS 3. CSRF (cross site request forgery) 4. Session hijacking 5. Session Fixation 6. Brute Force password cracking 7. Spoofed HTTP requests Best practices using cake (column B): 1. cake does this, we don't need to do anything as long as we use cake's model functions. 2. needs to be filtered using cake's security component routines. 3. ?? - don't know enough about. 4. & 5: use cake security HIGH, so session id's will be changed every request, and store sessions in the DB so client side cookies cannot be manipulated. 6. Cake does not natively support this I don't think, so would need an add-on algorithm to detect and deal with it. I believe there is something in the bakery for this. 7. ?? - not sure. All are welcome to contribute to either the security risks (column A), or the best practise approaches (php and/or cake) for dealing with them (column B). --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
