michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6bc78f55405bb9efc022db7d86851b90a0b29215
michaelschiemer/docs/features/security/patterns.md
Michael Schiemer 36ef2a1e2c
Some checks failed
🚀 Build & Deploy Image / Determine Build Necessity (push) Failing after 10m14s
Details
🚀 Build & Deploy Image / Build Runtime Base Image (push) Has been skipped
Details
🚀 Build & Deploy Image / Build Docker Image (push) Has been skipped
Details
🚀 Build & Deploy Image / Run Tests & Quality Checks (push) Has been skipped
Details
🚀 Build & Deploy Image / Auto-deploy to Staging (push) Has been skipped
Details
🚀 Build & Deploy Image / Auto-deploy to Production (push) Has been skipped
Details
Security Vulnerability Scan / Check for Dependency Changes (push) Failing after 11m25s
Details
Security Vulnerability Scan / Composer Security Audit (push) Has been cancelled
Details
fix: Gitea Traefik routing and connection pool optimization 
- Remove middleware reference from Gitea Traefik labels (caused routing issues)
- Optimize Gitea connection pool settings (MAX_IDLE_CONNS=30, authentication_timeout=180s)
- Add explicit service reference in Traefik labels
- Fix intermittent 504 timeouts by improving PostgreSQL connection handling

Fixes Gitea unreachability via git.michaelschiemer.de
2025-11-09 14:46:15 +01:00

1136 lines
30 KiB
Markdown
Raw Blame History

# Security Patterns
Comprehensive security architecture and patterns for production deployment.
## Web Application Firewall (WAF)
### Overview
Multi-layer WAF system with intelligent threat detection, machine learning integration, and real-time monitoring.
**Core Components**:
- `WafEngine`: Central orchestrator for all security layers
- `WafMiddleware`: HTTP middleware integration
- `ThreatAssessmentService`: Unified threat evaluation
- `MachineLearningEngine`: ML-based anomaly detection (optional)
### WAF Architecture
```
Request → WafMiddleware → WafEngine → Security Layers → ThreatAssessment → Block/Allow
[SQL Injection, XSS, Path Traversal,
Command Injection, Rate Limiting,
Suspicious User Agents]
```
### Security Layers
#### 1. SQL Injection Layer
**Protection**: Detects SQL injection attempts in query parameters, POST data, headers
**Patterns**: `UNION SELECT`, `DROP TABLE`, `; DELETE`, `' OR 1=1`, `--`, `/**/`
**Severity**: CRITICAL
**Action**: Block + Log
#### 2. XSS (Cross-Site Scripting) Layer
**Protection**: Detects XSS attack vectors
**Patterns**: `<script>`, `javascript:`, `onerror=`, `onload=`, `eval()`, `innerHTML`
**Severity**: HIGH
**Action**: Block + Sanitize + Log
#### 3. Path Traversal Layer
**Protection**: Prevents directory traversal attacks
**Patterns**: `../`, `..\\`, `/etc/passwd`, `C:\Windows`, `%2e%2e`
**Severity**: CRITICAL
**Action**: Block + Log
#### 4. Command Injection Layer
**Protection**: Detects shell command injection
**Patterns**: `; ls`, `| cat`, `&& rm`, `` `whoami` ``, `$(command)`
**Severity**: CRITICAL
**Action**: Block + Log + Alert
#### 5. Intelligent Rate Limiting Layer
**Protection**: Adaptive rate limiting based on behavior patterns
**Algorithm**: Token bucket with dynamic adjustment
**Thresholds**: Configurable per endpoint/IP/user
**Action**: 429 Response + Temporary block
#### 6. Suspicious User Agent Layer
**Protection**: Detects malicious bots and scanners
**Patterns**: Common scanners (sqlmap, nikto, nmap), headless browsers without proper headers
**Severity**: MEDIUM
**Action**: CAPTCHA challenge or block
### Configuration
```php
use App\Framework\Config\WafConfig;
use App\Framework\Core\ValueObjects\Duration;
$wafConfig = new WafConfig(
enabled: true,
mode: WafMode::BLOCKING, // or MONITORING for testing
globalTimeout: Duration::fromMilliseconds(50),
enableMachineLearning: false, // Enable for advanced detection
feedbackEnabled: true // Collect feedback for tuning
);
```
### Usage in Middleware
```php
// Automatic integration via WafMiddleware
final readonly class WafMiddleware implements Middleware
{
public function process(
Request $request,
callable $next
): Response {
// Analyze request through all WAF layers
$decision = $this->wafEngine->analyzeRequest($request);
if ($decision->shouldBlock()) {
// Log security event
$this->owaspLogger->logSecurityEvent(
new SecurityEventType($decision->threatType),
$request
);
// Return 403 Forbidden
return new Response(
status: Status::FORBIDDEN,
body: 'Request blocked by security policy'
);
}
return $next($request);
}
}
```
### Manual WAF Analysis
```php
use App\Framework\Waf\WafEngine;
// Analyze specific request
$decision = $this->wafEngine->analyzeRequest($request);
if ($decision->shouldBlock()) {
// Handle threat
$threatLevel = $decision->threatAssessment->overallRisk;
$detections = $decision->threatAssessment->detections;
foreach ($detections as $detection) {
$this->logger->warning('WAF Detection', [
'type' => $detection->type,
'severity' => $detection->severity->value,
'pattern' => $detection->pattern,
'value' => $detection->value
]);
}
}
// Get layer-specific results
$layerResults = $this->wafEngine->getLayerResults();
// Health monitoring
$health = $this->wafEngine->getHealthStatus();
// Returns: ['status' => 'healthy', 'health_percentage' => 100.0, ...]
```
### WAF Feedback System
Collect feedback on false positives/negatives for continuous improvement:
```php
use App\Framework\Waf\Feedback\WafFeedbackIntegrator;
// Report false positive
$feedback = $this->feedbackIntegrator->reportFalsePositive(
requestId: $requestId,
detectionType: 'sql_injection',
reason: 'Legitimate query parameter',
userName: $currentUser->name
);
// Report false negative
$feedback = $this->feedbackIntegrator->reportFalseNegative(
requestId: $requestId,
attackType: 'xss',
evidence: 'Malicious script bypassed detection',
userName: $securityTeam->name
);
```
### Performance Characteristics
- **Average Latency**: <5ms per request
- **Max Layers Parallel**: 6 layers
- **Throughput**: 10,000+ requests/second
- **False Positive Rate**: <0.1% (with ML enabled)
- **Detection Rate**: >99.5% (OWASP Top 10)
### Monitoring & Alerts
```php
// Performance stats
$stats = $this->wafEngine->getPerformanceStats();
foreach ($stats as $layerName => $metrics) {
$this->monitor->gauge("waf.layer.{$layerName}.duration",
$metrics['execution_duration']->toMilliseconds()
);
$this->monitor->gauge("waf.layer.{$layerName}.detections",
$metrics['detections']
);
}
// Health checks
if ($health['status'] === 'degraded') {
$this->alerting->sendAlert(
level: AlertLevel::WARNING,
message: "WAF degraded: {$health['healthy_layers']}/{$health['total_layers']} layers healthy"
);
}
```
---
## OWASP Event Integration
### Overview
Comprehensive security event logging based on OWASP Application Security Logging standards.
**Features**:
- Standardized event types (OWASP event identifiers)
- Contextual security event data
- Integration with WAF, authentication, and authorization systems
- Real-time security monitoring
### Event Types
```php
use App\Framework\Security\OWASPEventIdentifier;
// Authentication Events
OWASPEventIdentifier::AUTHN_LOGIN_SUCCESS
OWASPEventIdentifier::AUTHN_LOGIN_FAILURE
OWASPEventIdentifier::AUTHN_LOGOUT_SUCCESS
OWASPEventIdentifier::AUTHN_SESSION_EXPIRED
OWASPEventIdentifier::AUTHN_TOKEN_INVALID
// Authorization Events
OWASPEventIdentifier::AUTHZ_PERMISSION_DENIED
OWASPEventIdentifier::AUTHZ_PRIVILEGE_ESCALATION
// Input Validation Events
OWASPEventIdentifier::INPUT_VALIDATION_FAILURE
OWASPEventIdentifier::INPUT_XSS_DETECTED
OWASPEventIdentifier::INPUT_SQL_INJECTION_DETECTED
// Session Events
OWASPEventIdentifier::SESSION_HIJACK_ATTEMPT
OWASPEventIdentifier::SESSION_FIXATION_ATTEMPT
// Security Events
OWASPEventIdentifier::SECURITY_INTRUSION_DETECTED
OWASPEventIdentifier::SECURITY_MALWARE_DETECTED
```
### Logging Security Events
```php
use App\Framework\Security\OWASPSecurityLogger;
// Log authentication failure
$this->owaspLogger->logSecurityEvent(
new SecurityEventType(OWASPEventIdentifier::AUTHN_LOGIN_FAILURE),
request: $request,
context: [
'username' => $credentials->username,
'ip_address' => $request->server->getRemoteAddr(),
'user_agent' => $request->server->getUserAgent(),
'failure_reason' => 'Invalid credentials'
]
);
// Log intrusion detection
$this->owaspLogger->logSecurityEvent(
new SecurityEventType(OWASPEventIdentifier::SECURITY_INTRUSION_DETECTED),
request: $request,
context: [
'attack_type' => 'sql_injection',
'detected_pattern' => "' OR 1=1--",
'threat_level' => 'critical',
'waf_layer' => 'SqlInjectionLayer'
]
);
```
### WAF-OWASP Bridge
Automatic event logging for WAF detections:
```php
final readonly class WafOWASPEventBridge
{
public function logWafDetection(
WafDecision $decision,
Request $request
): void {
if (!$decision->shouldBlock()) {
return;
}
$eventType = $this->mapWafThreatToOWASP(
$decision->threatAssessment->primaryThreat
);
$this->owaspLogger->logSecurityEvent(
$eventType,
$request,
context: [
'threat_score' => $decision->threatAssessment->overallRisk,
'detections' => $decision->threatAssessment->detections,
'action_taken' => 'blocked'
]
);
}
}
```
### Event Monitoring Dashboard
```php
// Get security event statistics
$stats = $this->owaspLogger->getEventStatistics(
timeRange: Duration::fromHours(24)
);
// Returns:
[
'total_events' => 1523,
'by_severity' => [
'critical' => 5,
'high' => 23,
'medium' => 145,
'low' => 1350
],
'by_type' => [
'authn_login_failure' => 342,
'input_validation_failure' => 891,
'authz_permission_denied' => 67,
...
],
'top_ips' => [
'203.0.113.42' => 89,
'198.51.100.10' => 67,
...
]
]
```
---
## CSRF Protection
### Overview
Token-based CSRF protection for all state-changing operations.
**Features**:
- Per-session CSRF tokens
- Automatic token validation via middleware
- Framework-level integration
- Token rotation support
### Configuration
```php
// CSRF tokens are automatically generated and validated
// Configuration via CsrfMiddleware priority
use App\Framework\Http\Middlewares\CsrfMiddleware;
// Middleware automatically validates CSRF for:
// - POST, PUT, DELETE, PATCH requests
// - Excludes: GET, HEAD, OPTIONS
```
### Token Generation
```php
// Automatic token generation in sessions
$csrfToken = $session->getCsrfToken();
// Manual token generation
use App\Framework\Security\CsrfTokenGenerator;
$token = $this->csrfTokenGenerator->generate();
```
### Template Integration
```html
<!-- Automatic token injection via CsrfTokenProcessor -->
<form method="POST" action="/api/users">
{csrf_token} <!-- Automatically replaced with hidden input -->
<input type="text" name="username" />
<button type="submit">Create User</button>
</form>
<!-- Rendered as: -->
<form method="POST" action="/api/users">
<input type="hidden" name="_csrf_token" value="generated_token_here" />
<input type="text" name="username" />
<button type="submit">Create User</button>
</form>
```
### JavaScript/AJAX Integration
```javascript
// Get token from meta tag
const csrfToken = document.querySelector('meta[name="csrf-token"]').content;
// Include in requests
fetch('/api/endpoint', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-Token': csrfToken
},
body: JSON.stringify(data)
});
```
### Excluding Routes from CSRF
```php
use App\Framework\Attributes\Route;
use App\Framework\Http\Method;
// API endpoints with other authentication
#[Route(path: '/api/webhook', method: Method::POST)]
#[SkipCsrf] // Custom attribute to skip CSRF for this route
public function handleWebhook(Request $request): JsonResult
{
// Validate via signature/API key instead
$this->validateWebhookSignature($request);
return new JsonResult(['status' => 'processed']);
}
```
### Error Handling
```php
// CSRF validation failure throws exception
use App\Framework\Exception\Security\CsrfTokenMismatchException;
try {
$this->csrfValidator->validate($request);
} catch (CsrfTokenMismatchException $e) {
// Log security event
$this->owaspLogger->logSecurityEvent(
new SecurityEventType(OWASPEventIdentifier::CSRF_ATTACK_DETECTED),
$request
);
// Return 403 Forbidden
return new Response(
status: Status::FORBIDDEN,
body: 'CSRF token validation failed'
);
}
```
---
## Rate Limiting
### Overview
Multi-level rate limiting with intelligent adaptation and DDoS protection.
**Features**:
- IP-based rate limiting
- User-based rate limiting
- Endpoint-specific limits
- Adaptive thresholds
- Distributed rate limiting support
### Configuration
```env
# Rate Limiting Configuration (.env)
RATE_LIMIT_DEFAULT=60 # Requests per window
RATE_LIMIT_WINDOW=60 # Window in seconds
RATE_LIMIT_AUTH=10 # Auth endpoint limit
RATE_LIMIT_AUTH_WINDOW=300 # Auth window (5 min)
RATE_LIMIT_API=30 # API endpoint limit
RATE_LIMIT_API_WINDOW=60 # API window
```
### Usage Patterns
```php
use App\Framework\RateLimit\RateLimiter;
use App\Framework\RateLimit\RateLimitKey;
// IP-based rate limiting
$key = RateLimitKey::forIp($request->server->getRemoteAddr());
$limit = RateLimit::create(requests: 60, window: Duration::fromSeconds(60));
if (!$this->rateLimiter->allow($key, $limit)) {
throw new RateLimitExceededException(
retryAfter: $this->rateLimiter->retryAfter($key)
);
}
// User-based rate limiting
$key = RateLimitKey::forUser($userId);
$limit = RateLimit::create(requests: 100, window: Duration::fromMinutes(1));
if (!$this->rateLimiter->allow($key, $limit)) {
return new JsonResponse(
data: ['error' => 'Too many requests'],
status: Status::TOO_MANY_REQUESTS,
headers: [
'Retry-After' => (string) $this->rateLimiter->retryAfter($key)->toSeconds()
]
);
}
```
### Middleware Integration
```php
use App\Framework\Http\Middlewares\RateLimitMiddleware;
// Automatically applied via middleware stack
// Custom limits per route:
#[Route(path: '/api/search', method: Method::GET)]
#[RateLimit(requests: 10, window: 60)] // 10 requests per minute
public function search(Request $request): JsonResult
{
return new JsonResult($this->searchService->search($request));
}
```
### Adaptive Rate Limiting
The `IntelligentRateLimitLayer` in WAF automatically adjusts based on:
- Historical traffic patterns
- Attack detection
- Resource utilization
- User reputation scores
### Monitoring
```php
// Get rate limit statistics
$stats = $this->rateLimiter->getStatistics();
// Returns:
[
'total_requests' => 15234,
'blocked_requests' => 523,
'top_limited_ips' => [
'203.0.113.42' => 89,
'198.51.100.10' => 67,
],
'average_retry_after' => Duration::fromSeconds(45)
]
```
---
## Authentication & Authorization
### IP-based Authentication
```php
use App\Framework\Attributes\Route;
use App\Framework\Attributes\Auth;
// Admin routes restricted to whitelisted IPs
#[Route(path: '/admin/dashboard', method: Method::GET)]
#[Auth(strategy: 'ip', allowedIps: ['127.0.0.1', '::1', '203.0.113.0/24'])]
public function dashboard(): ViewResult
{
return new ViewResult('admin/dashboard');
}
```
### Session-based Authentication
```php
#[Route(path: '/api/users', method: Method::POST)]
#[Auth(strategy: 'session', roles: ['admin'])]
public function createUser(CreateUserRequest $request): JsonResult
{
// Only authenticated admins can access
return new JsonResult($this->userService->create($request));
}
```
### Token-based Authentication
```php
#[Route(path: '/api/v1/data', method: Method::GET)]
#[Auth(strategy: 'token', scopes: ['read:data'])]
public function getData(Request $request): JsonResult
{
// Validate Bearer token
$token = $request->headers->getAuthorization();
$user = $this->tokenAuthenticator->authenticate($token);
return new JsonResult($this->dataService->getData($user));
}
```
---
## Security Headers
### Automatic Security Headers
Framework automatically sets security headers via middleware:
```php
// SecurityHeadersMiddleware
$headers = [
'X-Frame-Options' => 'SAMEORIGIN',
'X-Content-Type-Options' => 'nosniff',
'X-XSS-Protection' => '1; mode=block',
'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains',
'Content-Security-Policy' => $this->generateCspHeader(),
'Referrer-Policy' => 'strict-origin-when-cross-origin',
'Permissions-Policy' => 'geolocation=(), microphone=(), camera=()'
];
```
### Content Security Policy (CSP)
```php
// Configure CSP via environment or config
$csp = ContentSecurityPolicy::build()
->defaultSrc(["'self'"])
->scriptSrc(["'self'", "'unsafe-inline'", 'https://cdn.example.com'])
->styleSrc(["'self'", "'unsafe-inline'"])
->imgSrc(["'self'", 'data:', 'https:'])
->connectSrc(["'self'", 'wss://localhost'])
->fontSrc(["'self'", 'https://fonts.gstatic.com'])
->reportUri('/csp-report');
```
---
## State Encryption for LiveComponents
### Overview
Sensitive LiveComponent state data is automatically encrypted using authenticated encryption (AES-256-GCM via libsodium) to protect against tampering and unauthorized access.
**Core Components**:
- `StateEncryptor`: Low-level encryption/decryption with libsodium
- `EncryptedStateSerializer`: State serialization with automatic encryption
- `EncryptionTransformer`: Transparent encryption in state management pipeline
- `CacheBasedStateManager`: State persistence with encryption support
### Security Features
**Authenticated Encryption**:
- Algorithm: XSalsa20-Poly1305 (via `sodium_crypto_secretbox`)
- Key Size: 256-bit (32 bytes)
- Nonce: 24 bytes, unique per encryption operation
- MAC: Poly1305 authentication tag included
- Version Byte: Prepended for future compatibility
**Protection Against**:
- State tampering (MAC verification fails)
- Replay attacks (unique nonces per encryption)
- Unauthorized decryption (strong encryption key required)
- Side-channel attacks (constant-time comparisons)
### Configuration
```php
// Generate encryption key (only once, store in Vault)
use App\Framework\Random\SecureRandomGenerator;
$random = new SecureRandomGenerator();
$encryptionKey = $random->bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES); // 32 bytes
// Store in Vault
$vault->store('state_encryption_key', $encryptionKey);
```
**Environment Configuration**:
```env
# .env
VAULT_ENCRYPTION_KEY=<base64-encoded-key>
STATE_ENCRYPTION_ENABLED=true
```
### Basic Usage
#### Direct Encryption
```php
use App\Framework\LiveComponents\Serialization\StateEncryptor;
use App\Framework\Cryptography\CryptographicUtilities;
use App\Framework\Random\SecureRandomGenerator;
// Initialize encryptor
$random = new SecureRandomGenerator();
$crypto = new CryptographicUtilities($random);
$encryptionKey = $vault->get('state_encryption_key');
$encryptor = new StateEncryptor($encryptionKey, $crypto, $random);
// Encrypt plaintext
$encrypted = $encryptor->encrypt('sensitive data');
// Decrypt
$plaintext = $encryptor->decrypt($encrypted);
// Verify encryption format
if ($encryptor->isEncrypted($encrypted)) {
// Data is encrypted
}
```
#### State Serialization with Encryption
```php
use App\Framework\LiveComponents\Serialization\EncryptedStateSerializer;
// State must implement SerializableState interface
final readonly class UserProfileState implements SerializableState
{
public function __construct(
public string $userId,
public Email $email,
public string $sessionToken // Sensitive data
) {}
public function toArray(): array
{
return [
'user_id' => $this->userId,
'email' => $this->email->value,
'session_token' => $this->sessionToken,
];
}
public static function fromArray(array $data): self
{
return new self(
userId: $data['user_id'],
email: new Email($data['email']),
sessionToken: $data['session_token']
);
}
}
// Serialize and encrypt
$serializer = new EncryptedStateSerializer($encryptor);
$encrypted = $serializer->serialize($userProfileState);
// Deserialize and decrypt
$decrypted = $serializer->deserialize($encrypted, UserProfileState::class);
```
#### Automatic Encryption via Transformer Pipeline
```php
use App\Framework\StateManagement\CacheBasedStateManager;
use App\Framework\StateManagement\EncryptionTransformer;
// Setup state manager with encryption transformer
$encryptionTransformer = new EncryptionTransformer($serializer);
$stateManager = new CacheBasedStateManager(
$cache,
transformers: [$encryptionTransformer] // Add to transformer pipeline
);
// State is automatically encrypted when stored
$stateManager->store($componentId, $state);
// State is automatically decrypted when retrieved
$state = $stateManager->retrieve($componentId, UserProfileState::class);
```
### Encryption Details
**Encrypted Data Format**:
```
[Version Byte: 1 byte][Nonce: 24 bytes][Ciphertext + MAC: variable]
↑ Output from sodium_crypto_secretbox
```
**Data Flow**:
```
1. State Object → toArray()
2. Array → JSON encoding
3. JSON → Encryption with unique nonce
4. Encrypted bytes → Base64 encoding
5. Base64 string → Cache storage
```
**Decryption Flow**:
```
1. Base64 string → Base64 decoding
2. Encrypted bytes → Extract version byte + nonce + ciphertext
3. Ciphertext → Decryption with MAC verification
4. Decrypted JSON → JSON decoding
5. Array → fromArray() → State Object
```
### Key Management
**Best Practices**:
1. **Key Generation**:
```php
// Use framework's SecureRandomGenerator
$random = new SecureRandomGenerator();
$key = $random->bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
// Verify key strength
$crypto = new CryptographicUtilities($random);
if (!$crypto->validateEntropy($key, 4.0)) {
throw new \RuntimeException('Weak encryption key');
}
```
2. **Key Storage**:
```php
// Store in Vault (encrypted at rest)
$vault->store('state_encryption_key', $key);
// DO NOT store in:
// - .env files (committed to git)
// - Plain text files
// - Database without encryption
```
3. **Key Rotation**:
```php
// Generate new key
$newKey = $random->bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
// Re-encrypt existing states
foreach ($stateManager->getAllStates() as $id => $state) {
// Decrypt with old key
$decrypted = $oldEncryptor->decrypt($state);
// Encrypt with new key
$reencrypted = $newEncryptor->encrypt($decrypted);
// Store updated state
$stateManager->update($id, $reencrypted);
}
// Replace key in vault
$vault->store('state_encryption_key', $newKey);
```
### Error Handling
```php
use App\Framework\LiveComponents\Exceptions\StateEncryptionException;
try {
$encrypted = $serializer->serialize($state);
} catch (StateEncryptionException $e) {
// Encryption failed
// Possible causes:
// - Invalid encryption key
// - State serialization error
// - libsodium extension not loaded
error_log("State encryption failed: " . $e->getMessage());
throw $e;
}
try {
$state = $serializer->deserialize($encrypted, StateClass::class);
} catch (StateEncryptionException $e) {
// Decryption failed
// Possible causes:
// - Invalid/corrupted encrypted data
// - MAC verification failed (tampering detected)
// - Wrong encryption key
// - Invalid state class
error_log("State decryption failed: " . $e->getMessage());
// Security response: Do NOT expose details to client
throw new \RuntimeException('State decryption failed');
}
```
### Security Considerations
**1. Key Protection**:
- NEVER commit encryption keys to version control
- Use Vault for secure key storage
- Rotate keys regularly (recommended: quarterly)
- Different keys per environment (dev/staging/prod)
**2. Nonce Uniqueness**:
- Framework automatically generates unique nonce per encryption
- NEVER reuse nonces with same key
- Nonce is prepended to ciphertext (no separate storage needed)
**3. MAC Verification**:
- Always performed during decryption
- Constant-time comparison prevents timing attacks
- Tampering detection is automatic
**4. State Validation**:
```php
// Always validate decrypted state
final readonly class SecureStateManager
{
public function retrieve(string $id, string $stateClass): object
{
// 1. Retrieve encrypted state from cache
$encrypted = $this->cache->get($id);
// 2. Decrypt and deserialize
$state = $this->serializer->deserialize($encrypted, $stateClass);
// 3. Validate decrypted state
if (!$this->validator->isValid($state)) {
throw new StateValidationException('Invalid state after decryption');
}
return $state;
}
}
```
**5. Performance Considerations**:
- Encryption overhead: ~1-2ms per operation
- Use for sensitive data only
- Consider caching decrypted states in memory for short periods
- Monitor cache TTL to balance security and performance
### Testing
```php
// Example unit test
it('encrypts and decrypts state correctly', function () {
$random = new SecureRandomGenerator();
$crypto = new CryptographicUtilities($random);
$key = $random->bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
$encryptor = new StateEncryptor($key, $crypto, $random);
$serializer = new EncryptedStateSerializer($encryptor);
$state = new UserProfileState(
userId: 'user123',
email: new Email('test@example.com'),
sessionToken: 'secret-token'
);
// Encrypt
$encrypted = $serializer->serialize($state);
expect($encrypted)->toBeString();
expect($encrypted)->not->toContain('secret-token'); // Plaintext not visible
// Decrypt
$decrypted = $serializer->deserialize($encrypted, UserProfileState::class);
expect($decrypted->sessionToken)->toBe('secret-token');
});
it('detects tampering via MAC verification', function () {
$encrypted = $serializer->serialize($state);
// Tamper with ciphertext
$tampered = substr($encrypted, 0, -5) . 'XXXXX';
// Should throw on decryption
$serializer->deserialize($tampered, UserProfileState::class);
})->throws(StateEncryptionException::class, 'MAC verification failed');
```
### Migration Guide
**Adding Encryption to Existing State**:
```php
// Step 1: Add EncryptionTransformer to StateManager
$encryptionTransformer = new EncryptionTransformer($serializer);
$stateManager = new CacheBasedStateManager(
$cache,
transformers: [$encryptionTransformer] // Add transformer
);
// Step 2: Existing states will be re-encrypted on next update
// No migration script needed - encryption happens transparently
// Step 3: Monitor for encryption errors
try {
$state = $stateManager->retrieve($id, StateClass::class);
} catch (StateEncryptionException $e) {
// Old unencrypted state or corruption
// Regenerate state from source
}
```
---
## Input Validation
### Request Validation
```php
final readonly class CreateUserRequest implements ControllerRequest
{
public function __construct(
public Email $email, // Validated Email value object
public UserName $userName, // Validated UserName value object
public ?string $company = null
) {}
public static function fromHttpRequest(HttpRequest $request): self
{
$data = $request->parsedBody->toArray();
// Automatic validation via Value Objects
return new self(
email: new Email($data['email'] ?? ''), // Throws if invalid
userName: new UserName($data['username'] ?? ''), // Validates format
company: !empty($data['company']) ? trim($data['company']) : null
);
}
}
```
### Value Object Validation
```php
// Email value object with built-in validation
final readonly class Email
{
public function __construct(public string $value)
{
if (!filter_var($value, FILTER_VALIDATE_EMAIL)) {
throw new InvalidArgumentException('Invalid email format');
}
// Additional security checks
if ($this->containsSuspiciousPatterns($value)) {
throw new SecurityException('Email contains suspicious patterns');
}
}
}
```
---
## Security Best Practices
### 1. Never Trust User Input
- Validate all input via Value Objects
- Use parameterized queries (never string concatenation)
- Sanitize output based on context (HTML, JavaScript, SQL, etc.)
### 2. Defense in Depth
- Multiple security layers (WAF + validation + authorization)
- Fail securely (block by default, allow explicitly)
- Log all security events
### 3. Secure Defaults
- HTTPS enforced in production
- Security headers enabled by default
- CSRF protection automatic
- Rate limiting active
### 4. Secrets Management
- Use Vault for sensitive data
- Never commit secrets to version control
- Rotate keys regularly
- Use different keys per environment
### 5. Monitoring & Alerting
- Monitor OWASP security events
- Alert on unusual patterns
- Regular security audits
- Automated vulnerability scanning
### 6. Incident Response
- Defined escalation procedures
- Security event playbooks
- Regular incident response drills
- Post-mortem analysis
---
## Production Deployment Checklist
### Encryption & Key Management
- [ ] Generate new VAULT_ENCRYPTION_KEY
- [ ] Generate STATE_ENCRYPTION_KEY and store in Vault
- [ ] Verify libsodium extension is installed (`php -m | grep sodium`)
- [ ] Test encryption key strength (minimum 4.0 bits/byte entropy)
- [ ] Configure key rotation schedule (recommended: quarterly)
- [ ] Set up separate encryption keys per environment
### State Encryption
- [ ] Enable STATE_ENCRYPTION_ENABLED=true in production
- [ ] Add EncryptionTransformer to StateManager pipeline
- [ ] Test state encryption/decryption flow
- [ ] Verify encrypted states in cache (no plaintext visible)
- [ ] Monitor encryption performance (<2ms overhead)
- [ ] Set up alerts for StateEncryptionException errors
### WAF & Security Headers
- [ ] Configure ADMIN_ALLOWED_IPS with production IPs
- [ ] Enable WAF in BLOCKING mode
- [ ] Configure rate limits for production traffic
- [ ] Set up OWASP event monitoring
- [ ] Enable security headers
- [ ] Configure CSP policy
- [ ] Test CSRF protection
### SSL/TLS & Network Security
- [ ] Verify SSL/TLS configuration
- [ ] Review and update firewall rules
- [ ] Test HTTPS enforcement
- [ ] Configure HSTS headers
### Monitoring & Alerting
- [ ] Set up security alerting
- [ ] Configure StateEncryptionException monitoring
- [ ] Monitor encryption key usage patterns
- [ ] Set up MAC verification failure alerts
- [ ] Test incident response procedures
### Security Testing
- [ ] Conduct security penetration test
- [ ] Test state tampering detection (MAC verification)
- [ ] Verify encrypted state cannot be decrypted without key
- [ ] Test key rotation process
- [ ] Validate error handling doesn't leak sensitive info
---
## Security Contacts
**Security Issues**: Report to security@example.com
**Bug Bounty**: https://example.com/security/bug-bounty
**Security Documentation**: This file and related guides
Reference in New Issue View Git Blame Copy Permalink