Language-specific configuration (e.g. PHP)

Depending on your tech stack, the language of choice that serves backend requests must be configured to handle requests and user sessions securely. This page focuses on PHP as an example.

This is not an exhaustive list, as some languages have their own specific things, but it should give you an idea of what you need to look out for.

Server-side session security

Session Garbage Collection and Session ID Regeneration

Modern websites don't log users out that often, unless they're security critical applications like online banking. As a result, you should periodically refresh a user's session ID to mitigate the risk (and damage) of an attacker learning a user's session ID and hijacking their session.

An example of how you might go about this is below: <code>.

Apache configuration

Language-specific configuration (e.g. PHP)

Generating SSL/TLS Certificates via LetsEncrypt

User Input: Sanitization and Validation

Storing Credentials for Cloud Services

Storing User Credentials

WebSockets-specific security practices: JSON Web Tokens

Generating Credentials: secure data sources

Cookie Security Considerations for CSRF attacks

CSRF tokens and CSRF headers

Displaying user-inputted content on webpages

Web Application Firewall (WAF)

Language-specific configuration (e.g. PHP)

Server-side session security

Session Garbage Collection and Session ID Regeneration