#}
Security Guide
Multi-layer security architecture with 90% automatic protection
Security Guide
Overview
GEMVC is architected with security-by-design principles, implementing multi-layered defense mechanisms from request arrival to database operations.
90% of GEMVC security is AUTOMATIC - No developer configuration needed!
Multi-Layer Security Architecture
Security Layers
Request Arrives
↓
1. Path Access Security (SecurityManager) ✅ AUTOMATIC
↓
2. Header Sanitization (ApacheRequest/SwooleRequest) ✅ AUTOMATIC
↓
3. Input Sanitization (XSS Prevention) ✅ AUTOMATIC
↓
4. Schema Validation (Request Filtering) ⚙️ Developer Calls
↓
5. Authentication & Authorization (JWT) ⚙️ Developer Calls
↓
6. File Security (Name, MIME, Signature) ✅ AUTOMATIC
↓
7. Database Security (SQL Injection Prevention) ✅ AUTOMATICAutomatic Protection (✅)
Path Access Blocking
Blocks access to /app, /vendor, /.env, .php files
Header Sanitization
All HTTP_* headers sanitized automatically
XSS Prevention
All inputs HTML-entity encoded via FILTER_SANITIZE
SQL Injection Prevention
100% prepared statements - no string concatenation
info: Your app/api/ code never needs to worry about sanitization - it's already done by the time your code runs!
Developer-Enabled Protection (⚙️)
Schema Validation
Schema Validation
// Prevents mass assignment & validates types
if (!$this->request->definePostSchema([
'name' => 'string', // Required string
'email' => 'email', // Required valid email
'password' => 'string', // Required string
'?phone' => 'string', // Optional string
'?age' => 'int' // Optional integer
])) {
return $this->request->returnResponse(); // 400 Bad Request
}
// String length validation
if (!$this->request->validateStringPosts([
'name' => '2|100', // 2-100 characters
'password' => '8|128', // 8-128 characters
])) {
return $this->request->returnResponse();
}Authentication & Authorization
JWT Authentication
// Authentication (returns 401 if invalid)
if (!$this->request->auth()) {
return $this->request->returnResponse();
}
// Authorization with roles (returns 403 if unauthorized)
if (!$this->request->auth(['admin', 'moderator'])) {
return $this->request->returnResponse();
}Attack Prevention Matrix
| Attack Type | Protection | Status |
|---|---|---|
| XSS | Input sanitization | ✅ Auto |
| SQL Injection | Prepared statements | ✅ Auto |
| Path Traversal | Path blocking + sanitization | ✅ Auto |
| Header Injection | Header sanitization | ✅ Auto |
| Mass Assignment | definePostSchema() | ⚙️ Dev |
| JWT Forgery | HS256 signature | ✅ Auto |
| Role Escalation | auth(['role']) | ⚙️ Dev |
Tip: Always use definePostSchema() in your API services - it's the only manual security step you need!
Password Security
GEMVC uses Argon2i for password hashing - the industry standard:
Password Hashing
use Gemvc\Helper\CryptHelper;
// Hash password (Argon2i - memory-hard algorithm)
$hashedPassword = CryptHelper::hashPassword($plainPassword);
// Verify password
$isValid = CryptHelper::passwordVerify($plain, $hashedPassword);Environment Security
.env Security
# .env - Keep these secret!
TOKEN_SECRET='your-very-long-random-secret-key-here'
DB_PASSWORD='strong-database-password'
APP_ENV=production
SWOOLE_DISPLAY_ERRORS=0 # Hide errors in production