Security Guidelines

We take security seriously. CodeIgniter incorporates a number of features and techniques to either enforce good security practices, or to enable you to do so easily.

We respect the Open Web Application Security Project (OWASP) and follow their recommendations as much as possible.

The following comes from OWASP Top Ten Cheat Sheet, identifying the top vulnerabilities for web applications. For each, we provide a brief description, the OWASP recommendations, and then the CodeIgniter provisions to address the problem.

A1 Injection

An injection is the inappropriate insertion of partial or complete data via the input data from the client to the application. Attack vectors include SQL, XML, ORM, code & buffer overflows.

OWASP recommendations

  • Presentation: set correct content type, character set & locale
  • Submission: validate fields and provide feedback
  • Controller: sanitize input; positive input validation using correct character set
  • Model: parameterized queries

CodeIgniter provisions

  • HTTP library provides for input field filtering & content metadata
  • Form validation library

A2 Weak authentication and session management

Inadequate authentication or improper session management can lead to a user getting more privileges than they are entitled to.

OWASP recommendations

  • Presentation: validate authentication & role; send CSRF token with forms
  • Design: only use built-in session management
  • Controller: validate user, role, CSRF token
  • Model: validate role
  • Tip: consider the use of a request governor

CodeIgniter provisions

  • Session library
  • Security library provides for CSRF validation
  • Easy to add third party authentication

A3 Cross Site Scripting (XSS)

Insufficient input validation where one user can add content to a web site that can be malicious when viewed by other users to the web site.

OWASP recommendations

  • Presentation: output encode all user data as per output context; set input constraints
  • Controller: positive input validation
  • Tips: only process trustworthy data; do not store data HTML encoded in DB

CodeIgniter provisions

  • esc function
  • Form validation library

A4 Insecure Direct Object Reference

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

OWASP recommendations

  • Presentation: don’t expose internal data; use random reference maps
  • Controller: obtain data from trusted sources or random reference maps
  • Model: validate user roles before updating data

CodeIgniter provisions

  • Form validation library
  • Easy to add third party authentication

A5 Security Misconfiguration

Improper configuration of an application architecture can lead to mistakes that might compromise the security of the whole architecture.

OWASP recommendations

  • Presentation: harden web and application servers; use HTTP strict transport security
  • Controller: harden web and application servers; protect your XML stack
  • Model: harden database servers

CodeIgniter provisions

  • Sanity checks during bootstrap

A6 Sensitive Data Exposure

Sensitive data must be protected when it is transmitted through the network. Such data can include user credentials and credit cards. As a rule of thumb, if data must be protected when it is stored, it must be protected also during transmission.

OWASP recommendations

  • Presentation: use TLS1.2; use strong ciphers and hashes; do not send keys or hashes to browser
  • Controller: use strong ciphers and hashes
  • Model: mandate strong encrypted communications with servers

CodeIgniter provisions

  • Session keys stored encrypted

A7 Missing Function Level Access Control

Sensitive data must be protected when it is transmitted through the network. Such data can include user credentials and credit cards. As a rule of thumb, if data must be protected when it is stored, it must be protected also during transmission.

OWASP recommendations

  • Presentation: ensure that non-web data is outside the web root; validate users and roles; send CSRF tokens
  • Controller: validate users and roles; validate CSRF tokens
  • Model: validate roles

CodeIgniter provisions

  • Public folder, with application and system outside
  • Security library provides for CSRF validation

A8 Cross Site Request Forgery (CSRF)

CSRF is an attack that forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.

OWASP recommendations

  • Presentation: validate users and roles; send CSRF tokens
  • Controller: validate users and roles; validate CSRF tokens
  • Model: validate roles

CodeIgniter provisions

  • Security library provides for CSRF validation

A9 Using Components with Known Vulnerabilities

Many applications have known vulnerabilities and known attack strategies that can be exploited in order to gain remote control or to exploit data.

OWASP recommendations

  • Don’t use any of these

CodeIgniter provisions

  • Third party libraries incorporated must be vetted

A10 Unvalidated Redirects and Forwards

Faulty business logic or injected actionable code could redirect the user inappropriately.

OWASP recommendations

  • Presentation: don’t use URL redirection; use random indirect references
  • Controller: don’t use URL redirection; use random indirect references
  • Model: validate roles

CodeIgniter provisions