๐ ๐ TuskLang PHP Security Best Practices Guide
๐ TuskLang PHP Security Best Practices Guide
"We don't bow to any king" - PHP Edition
Master TuskLang's enterprise-grade security features in PHP! This guide covers encryption, validation, access control, and security patterns that will protect your applications from threats while maintaining TuskLang's revolutionary capabilities.
๐ฏ Security Overview
TuskLang provides comprehensive security features that transform your configuration from a potential vulnerability into a security fortress. This guide shows you how to implement enterprise-grade security while maintaining TuskLang's power.
<?php
// config/security-overview.tsk
[security_features]
encryption: @encrypt(@env("API_KEY"), "AES-256-GCM")
validation: @validate.strong_password(@request.password)
access_control: @rbac.can(@request.user_role, "admin", "config")
audit_logging: @audit.log("config_access", @request.user_id)๐ Encryption and Hashing
Data Encryption
<?php
// config/encryption.tsk
[secrets]
Encrypt sensitive configuration data
api_key: @encrypt(@env("API_KEY"), "AES-256-GCM")
database_password: @encrypt(@env("DB_PASSWORD"), "AES-256-GCM")
session_secret: @encrypt(@env("SESSION_SECRET"), "AES-256-GCM")
encryption_key: @encrypt(@env("ENCRYPTION_KEY"), "AES-256-GCM")[sensitive_data]
user_token: @encrypt(@request.token, "AES-256-GCM")
payment_info: @encrypt(@request.payment_data, "AES-256-GCM")
personal_data: @encrypt(@request.personal_info, "AES-256-GCM")
<?phpuse TuskLang\TuskLang;
use TuskLang\Security\Encryption;
$parser = new TuskLang();
// Configure encryption with strong settings
$encryption = new Encryption([
'algorithm' => 'AES-256-GCM',
'key' => getenv('MASTER_ENCRYPTION_KEY'),
'iv_length' => 16,
'tag_length' => 16,
'key_derivation' => 'pbkdf2',
'iterations' => 100000
]);
$parser->setEncryption($encryption);
// Parse encrypted configuration
$config = $parser->parseFile('config/encryption.tsk');
Password Hashing
<?php
// config/password-hashing.tsk
[password_hashes]
Hash passwords with strong algorithms
user_password: @hash.bcrypt(@request.password, 12)
admin_password: @hash.bcrypt(@request.password, 14)
service_password: @hash.bcrypt(@request.password, 12)[token_hashes]
Hash tokens for verification
csrf_token: @hash.sha256(@request.csrf_token)
api_token: @hash.sha256(@request.api_token)
session_token: @hash.sha256(@request.session_token)
refresh_token: @hash.sha256(@request.refresh_token)<?phpuse TuskLang\TuskLang;
use TuskLang\Security\Hashing;
$parser = new TuskLang();
// Configure hashing with strong settings
$hashing = new Hashing([
'bcrypt_cost' => 12,
'salt_length' => 32,
'algorithm' => 'sha256',
'pepper' => getenv('HASH_PEPPER')
]);
$parser->setHashing($hashing);
Secure Environment Variables
<?php
// config/secure-environment.tsk
[secure_env]
Secure environment variable access
api_key: @env.secure("API_KEY")
database_password: @env.secure("DB_PASSWORD")
session_secret: @env.secure("SESSION_SECRET")
encryption_key: @env.secure("ENCRYPTION_KEY")Environment-specific secrets
production_api_key: @env.secure("PROD_API_KEY")
staging_api_key: @env.secure("STAGING_API_KEY")
development_api_key: @env.secure("DEV_API_KEY")โ Input Validation
Basic Validation
<?php
// config/input-validation.tsk
[user_input]
Validate user input
email: @validate.email(@request.email)
password: @validate.strong_password(@request.password)
age: @validate.range(@request.age, 13, 120)
url: @validate.url(@request.website)
ip_address: @validate.ip(@request.ip)[data_validation]
Validate data types
user_id: @validate.integer(@request.user_id)
amount: @validate.float(@request.amount)
boolean_flag: @validate.boolean(@request.flag)
json_data: @validate.json(@request.json_data)Advanced Validation
<?php
// config/advanced-validation.tsk
[complex_validation]
Custom validation rules
strong_password: @validate.custom("strong_password", @request.password, {
"min_length": 8,
"require_uppercase": true,
"require_lowercase": true,
"require_numbers": true,
"require_special": true
})phone_number: @validate.custom("phone_number", @request.phone, {
"format": "international",
"country": "US"
})
credit_card: @validate.custom("credit_card", @request.card_number, {
"allowed_types": ["visa", "mastercard", "amex"]
})
[data_schema]
JSON schema validation
user_data: @validate.json_schema(@request.user_data, {
"type": "object",
"properties": {
"name": {
"type": "string",
"minLength": 1,
"maxLength": 100,
"pattern": "^[a-zA-Z\\s]+$"
},
"email": {
"type": "string",
"format": "email"
},
"age": {
"type": "integer",
"minimum": 13,
"maximum": 120
},
"preferences": {
"type": "object",
"properties": {
"newsletter": {"type": "boolean"},
"notifications": {"type": "boolean"}
}
}
},
"required": ["name", "email"],
"additionalProperties": false
})Custom Validators
<?phpuse TuskLang\TuskLang;
$parser = new TuskLang();
// Custom validators for business logic
$parser->addValidator('strong_password', function($password, $options = []) {
$minLength = $options['min_length'] ?? 8;
$requireUppercase = $options['require_uppercase'] ?? true;
$requireLowercase = $options['require_lowercase'] ?? true;
$requireNumbers = $options['require_numbers'] ?? true;
$requireSpecial = $options['require_special'] ?? true;
if (strlen($password) < $minLength) return false;
if ($requireUppercase && !preg_match('/[A-Z]/', $password)) return false;
if ($requireLowercase && !preg_match('/[a-z]/', $password)) return false;
if ($requireNumbers && !preg_match('/[0-9]/', $password)) return false;
if ($requireSpecial && !preg_match('/[^A-Za-z0-9]/', $password)) return false;
return true;
});
$parser->addValidator('phone_number', function($phone, $options = []) {
$format = $options['format'] ?? 'international';
$country = $options['country'] ?? 'US';
// Remove all non-digit characters
$digits = preg_replace('/[^0-9]/', '', $phone);
if ($country === 'US') {
return strlen($digits) === 10 || strlen($digits) === 11;
}
return strlen($digits) >= 7 && strlen($digits) <= 15;
});
$parser->addValidator('credit_card', function($cardNumber, $options = []) {
$allowedTypes = $options['allowed_types'] ?? ['visa', 'mastercard'];
// Remove spaces and dashes
$cardNumber = preg_replace('/[\s-]/', '', $cardNumber);
// Luhn algorithm check
$sum = 0;
$length = strlen($cardNumber);
$parity = $length % 2;
for ($i = 0; $i < $length; $i++) {
$digit = $cardNumber[$i];
if ($i % 2 == $parity) {
$digit *= 2;
if ($digit > 9) {
$digit -= 9;
}
}
$sum += $digit;
}
return $sum % 10 === 0;
});
๐ก๏ธ Access Control
Role-Based Access Control (RBAC)
<?php
// config/rbac.tsk
[permissions]
Role-based permissions
user_permissions: @rbac.get_permissions(@request.user_role)
can_edit_config: @rbac.can(@request.user_role, "edit", "config")
can_delete_users: @rbac.can(@request.user_role, "delete", "users")
can_view_analytics: @rbac.can(@request.user_role, "view", "analytics")[role_hierarchy]
Role hierarchy
admin_inherits: @rbac.inherits("admin", ["manager", "user"])
manager_inherits: @rbac.inherits("manager", ["user"])
user_inherits: @rbac.inherits("user", [])[resource_permissions]
Resource-specific permissions
config_permissions: @rbac.resource_permissions("config", @request.user_role)
user_permissions: @rbac.resource_permissions("users", @request.user_role)
analytics_permissions: @rbac.resource_permissions("analytics", @request.user_role)IP-Based Access Control
<?php
// config/ip-access-control.tsk
[ip_whitelist]
IP whitelist
allowed_ips: ["127.0.0.1", "192.168.1.0/24", "10.0.0.0/8"]
is_allowed_ip: @security.ip_allowed(@request.ip, $allowed_ips)[geo_restrictions]
Geographic restrictions
allowed_countries: ["US", "CA", "GB", "DE"]
is_allowed_country: @security.country_allowed(@request.ip, $allowed_countries)[rate_limiting]
Rate limiting by IP
rate_limit: @security.rate_limit(@request.ip, "config_access", 100, "1h")
is_rate_limited: @security.is_rate_limited(@request.ip, "config_access")Time-Based Access Control
<?php
// config/time-access-control.tsk
[time_restrictions]
Business hours access
business_hours: @time.between("09:00", "17:00")
is_business_hours: @time.is_business_hours()
can_access: @if(@time.is_business_hours(), true, false)[maintenance_windows]
Maintenance window restrictions
maintenance_start: @time.parse("2024-01-15 02:00:00")
maintenance_end: @time.parse("2024-01-15 04:00:00")
is_maintenance: @time.between($maintenance_start, $maintenance_end)๐ SQL Injection Prevention
Parameterized Queries
<?php
// config/sql-injection-prevention.tsk
[secure_queries]
Always use parameterized queries
user_by_id: @query("SELECT * FROM users WHERE id = ?", @validate.integer(@request.user_id))
user_orders: @query("SELECT * FROM orders WHERE user_id = ? AND status = ?",
@validate.integer(@request.user_id),
@validate.enum(@request.status, ["pending", "completed", "cancelled"]))[input_sanitization]
Sanitize input before database queries
sanitized_user_id: @sanitize.integer(@request.user_id)
sanitized_email: @sanitize.email(@request.email)
sanitized_name: @sanitize.string(@request.name, "alpha_space")Query Validation
<?php
// config/query-validation.tsk
[query_validation]
Validate query parameters
valid_user_id: @validate.integer(@request.user_id)
valid_status: @validate.enum(@request.status, ["active", "inactive", "suspended"])
valid_date_range: @validate.date_range(@request.start_date, @request.end_date)[query_limits]
Limit query results
max_results: @validate.range(@request.limit, 1, 1000)
safe_offset: @validate.range(@request.offset, 0, 10000)๐ CSRF Protection
CSRF Token Management
<?php
// config/csrf-protection.tsk
[csrf]
CSRF token generation and validation
csrf_token: @csrf.generate()
csrf_valid: @csrf.validate(@request.csrf_token)
csrf_field: @csrf.field()[forms]
CSRF-protected forms
login_form: @form.csrf_protected({
"action": "/login",
"method": "POST",
"fields": ["email", "password"]
})config_form: @form.csrf_protected({
"action": "/config/update",
"method": "POST",
"fields": ["setting_name", "setting_value"]
})
Session Security
<?php
// config/session-security.tsk
[session]
Secure session configuration
session_secure: @if(@env("APP_ENV") == "production", true, false)
session_httponly: true
session_samesite: "Strict"
session_lifetime: 3600
session_regenerate: @if(@request.is_authenticated, true, false)๐ Audit Logging
Security Events
<?php
// config/audit-logging.tsk
[security_events]
Log security-related events
config_access: @audit.log("config_access", {
"user_id": @request.user_id,
"ip": @request.ip,
"action": "read",
"resource": "config"
})failed_login: @audit.log("failed_login", {
"ip": @request.ip,
"email": @request.email,
"user_agent": @request.user_agent
})
privilege_escalation: @audit.log("privilege_escalation", {
"user_id": @request.user_id,
"old_role": @request.old_role,
"new_role": @request.new_role,
"admin_id": @request.admin_id
})
[audit_retention]
Audit log retention
retention_days: 365
log_rotation: "daily"
log_compression: trueCompliance Logging
<?php
// config/compliance-logging.tsk
[compliance]
GDPR compliance logging
data_access: @audit.log("data_access", {
"user_id": @request.user_id,
"data_type": @request.data_type,
"purpose": @request.purpose,
"consent": @request.consent
})data_deletion: @audit.log("data_deletion", {
"user_id": @request.user_id,
"data_type": @request.data_type,
"deletion_date": @date.now(),
"reason": @request.reason
})
[sox_compliance]
SOX compliance logging
financial_access: @audit.log("financial_access", {
"user_id": @request.user_id,
"financial_data": @request.financial_data,
"access_time": @date.now(),
"justification": @request.justification
})๐จ Threat Detection
Anomaly Detection
<?php
// config/threat-detection.tsk
[anomaly_detection]
Detect unusual patterns
unusual_login: @security.detect_anomaly("login", {
"ip": @request.ip,
"time": @date.now(),
"success_rate": @security.login_success_rate(@request.ip)
})unusual_access: @security.detect_anomaly("config_access", {
"user_id": @request.user_id,
"time": @date.now(),
"access_frequency": @security.access_frequency(@request.user_id)
})
[threat_scoring]
Threat scoring system
threat_score: @security.calculate_threat_score({
"failed_logins": @security.failed_login_count(@request.ip),
"suspicious_activity": @security.suspicious_activity_count(@request.ip),
"geographic_anomaly": @security.geographic_anomaly(@request.ip)
})is_high_risk: @if($threat_score > 75, true, false)
Rate Limiting
<?php
// config/rate-limiting.tsk
[rate_limits]
Rate limiting configuration
login_attempts: @security.rate_limit(@request.ip, "login", 5, "15m")
api_requests: @security.rate_limit(@request.ip, "api", 1000, "1h")
config_changes: @security.rate_limit(@request.user_id, "config_change", 10, "1h")[adaptive_rate_limiting]
Adaptive rate limiting based on threat level
adaptive_limit: @security.adaptive_rate_limit(@request.ip, {
"base_limit": 100,
"threat_multiplier": 0.5,
"trust_multiplier": 2.0
})๐ง Security Configuration
Environment-Specific Security
<?php
// config/environment-security.tsk
[production]
Production security settings
https_only: true
hsts_enabled: true
csp_enabled: true
xss_protection: true
content_type_nosniff: true
frame_deny: true[development]
Development security settings
https_only: false
hsts_enabled: false
csp_enabled: false
debug_enabled: true
error_reporting: "E_ALL"[staging]
Staging security settings
https_only: true
hsts_enabled: true
csp_enabled: true
debug_enabled: false
error_reporting: "E_ERROR"Security Headers
<?php
// config/security-headers.tsk
[headers]
Security headers configuration
hsts_header: @if(@env("APP_ENV") == "production",
"max-age=31536000; includeSubDomains; preload",
"")csp_header: @security.generate_csp({
"default_src": ["'self'"],
"script_src": ["'self'", "'unsafe-inline'"],
"style_src": ["'self'", "'unsafe-inline'"],
"img_src": ["'self'", "data:", "https:"],
"connect_src": ["'self'", "https://api.example.com"]
})
x_frame_options: "DENY"
x_content_type_options: "nosniff"
x_xss_protection: "1; mode=block"
referrer_policy: "strict-origin-when-cross-origin"
๐งช Security Testing
Penetration Testing Configuration
<?php
// config/security-testing.tsk
[penetration_testing]
Penetration testing mode
pt_mode: @env("PENETRATION_TESTING", "false")
pt_ips: ["192.168.1.100", "10.0.0.50"]
is_pt_ip: @security.ip_in_list(@request.ip, $pt_ips)[security_monitoring]
Security monitoring configuration
monitoring_enabled: @if(@env("SECURITY_MONITORING", "true") == "true", true, false)
alert_threshold: 75
notification_email: @env("SECURITY_ALERT_EMAIL", "security@example.com")Security Validation
<?php
// config/security-validation.tsk
[validation]
Security validation rules
password_policy: @validate.password_policy(@request.password, {
"min_length": 12,
"require_uppercase": true,
"require_lowercase": true,
"require_numbers": true,
"require_special": true,
"max_age_days": 90
})session_validation: @validate.session(@request.session_id, {
"max_age": 3600,
"regenerate_after": 300,
"secure_only": true
})
๐ Best Practices
Security Checklist
<?php
// config/security-checklist.tsk
[checklist]
Security checklist items
encryption_enabled: @if(@env("ENCRYPTION_ENABLED", "true") == "true", true, false)
validation_enabled: @if(@env("VALIDATION_ENABLED", "true") == "true", true, false)
audit_logging_enabled: @if(@env("AUDIT_LOGGING_ENABLED", "true") == "true", true, false)
rate_limiting_enabled: @if(@env("RATE_LIMITING_ENABLED", "true") == "true", true, false)
csrf_protection_enabled: @if(@env("CSRF_PROTECTION_ENABLED", "true") == "true", true, false)[compliance]
Compliance requirements
gdpr_compliant: @if(@env("GDPR_COMPLIANT", "true") == "true", true, false)
sox_compliant: @if(@env("SOX_COMPLIANT", "true") == "true", true, false)
hipaa_compliant: @if(@env("HIPAA_COMPLIANT", "true") == "true", true, false)Security Monitoring
<?php
// config/security-monitoring.tsk
[monitoring]
Security monitoring configuration
security_events: @metrics.counter("security.events", {
"type": @request.event_type,
"severity": @request.severity,
"user_id": @request.user_id
})threat_level: @metrics.gauge("security.threat_level", @security.calculate_threat_level())
response_time: @metrics.histogram("security.response_time", @request.response_time)
๐ Next Steps
Now that you've mastered TuskLang's security features in PHP, explore:
1. Advanced Threat Detection - Implement sophisticated threat detection systems 2. Compliance Frameworks - Meet regulatory requirements 3. Security Automation - Automate security responses 4. Incident Response - Build incident response procedures 5. Security Testing - Implement comprehensive security testing
๐ Need Help?
- Documentation: https://tuskt.sk/documents/php/security - Examples: https://github.com/tusklang/php-examples - Community: https://community.tuskt.sk
---
Ready to secure your PHP applications with TuskLang? You're now a TuskLang security master! ๐