security - How to protect your PHP website against common attacks in common frameworks such as Codeigniter/CAKEPHP/SYMFONY/ZEND -

Hello I am looking for advice on security and testing against attacks on your php website.

I have got some advice by searching around and I hope more experienced developers have more suggestions and can fill the vacancy. Please help if you can do this, we can make a secure and better website.

1 server side: Port scanning (1.1)

Strong> 2. Websites: Cross-site Scripting, (2.1) injection attacks, (2.2) cross-site request forgery, (2.3) broken authentication and session management, (2.4) unsafe cryptographic storage, (2.5) unsafe communication, (2.6) Information leakage (2.7)

How to test:

• 1.1 port scanning software (Firefox is ads but they do not scan port with low number
• 2.1xss mefor firefox
• 2.2 I'm looking for Firefox A. Inject me
• 2.3 to me?
• 2.4 To access me
• 2.6?
• 2.7? <

How to fix (and preferably codeigniter, cakephp / Symfony / zend) in php:

• 1.1 to your ports Close

• 2.1

$ config ['global_xss_filtering']? ] = TRUE; (codeigniter)

• 2.2 Use the Active Records (escaping queries) (codeigniter)
• 2.3?
• 2.4?
• 2.6?
• 2.7?

P> Unfortunately the list of security is much higher than the test. Before being released on technical details, you should first understand that the biggest security issue is between the keyboard and the chair so:

• Large random passwords, keep them confidential
• System
• For the server

with comments, structure, reviews and tests (assuming you have a Linux / UNIX / BSD environment Use):

• A firewall and intrusion di Close Ekshn systems
Li> all unnecessary ports to the public, and if you add a firewall exception rule for the need of a port for your (eg for ssh).
• Keep your operating system up to date, Don
• Do not go with a shared hosting party
• Is a secure and secure place located on your server?

You can check your application with all types of security devices (like Nikto, Parsos / Burke Proxy, NMAP, ...), but in fact you have written the application You can do a better security test.

• Use a framework with functions to avoid variables in the layout layer of your application. Most XSS wolfs to prevent bills, but keep in mind that avoidance does not solve everything.
• Use the session headers to prevent XSS httponly (not working in all browsers yet)
• Using a similar layer Stop SQL injection that does job filtering for you
• Use autoloaders to prevent LFI and RFI
• Do not install other webpages in your web directory and do not testfiles
• Use captcha to prevent logging from destroying

and Yes there are too many vector vectors; Probably being aware of a regular developer, your application is safe by writing securely and not all types of tests Use the test as a confirmation, in short: code safe.