Security & Common Attacks
=========================

.. list-table::
   :header-rows: 1
   :widths: 20 80

   * - **Attack Type**
     - **How LacePHP Defends**
   * - SQL Injection
     - All database access goes through PDO + prepared statements in the QueryBuilder.  
       Parameters (`?` bindings) never get interpolated directly into SQL.
   * - Cross-Site Scripting (XSS)
     - ShoeRequest sanitises incoming data by stripping HTML tags and null bytes.  
       Developers should still use ``htmlspecialchars()`` when rendering untrusted content.
   * - Cross-Site Request Forgery (CSRF)
     - Built-in CSRF token generation in ShoeRequest (one per session).  
       Use ``validateCsrf()`` on state-changing requests and ``csrfField()`` in your forms.
   * - Mass Assignment / Overposting
     - Models declare a ``$fillable`` whitelist—only those attributes are written by ``save()``.
   * - Session Hijacking
     - Sessions start under PHP’s secure defaults in ShoeRequest.  
       You may harden cookie flags via middleware or your php.ini.
   * - File-Upload Attacks
     - ShoeRequest sanitises the ``$_FILES`` array (strips dangerous filenames).  
       Add MIME-type and size checks in your upload handlers.
   * - Directory Traversal / LFI
     - The view loader only includes from two fixed folders (``weave/Views`` or ``shoebox/views``).  
       The autoloader only resolves PSR-4 prefixes—no arbitrary ``require`` calls.
   * - Remote Code Execution
     - No ``eval()`` of user input.  
       All shell commands (scheduler tasks, deploy hooks) originate from your code, never from user data.
   * - Clickjacking
     - You can add custom middleware (e.g. FrameGuardKnots) to set ``X-Frame-Options``.  
       CorsKnots handles CORS but not frame-ancestors policies.
   * - Rate-Limiting / DoS
     - RateLimitKnots enforces per-IP request limits.  
       ShoeCacheKnots caches GET responses on disk when enabled, reducing load.
   * - Configuration Leakage
     - All secrets live in ``.env`` (never committed).  
       ``config()`` merges env values into arrays without exposing raw files.
   * - Sensitive-Data Exposure
     - Error templates only show stack traces when ``errors.show_debug`` is true in ``lace.json``.  
       Always disable debug in production.
   * - Open Redirects
     - Router dispatches only to your defined handlers—no generic “redirect to URL” patterns.
   * - Insecure Deserialization
     - JSON decoding in ShoeRequest is only used for known API endpoints; no ``unserialize()`` on untrusted data.

How to Make Sure You’re Covered
-------------------------------

1. **Keep Dependencies Updated**  
   Even though LacePHP ships with minimal internal components, any third-party library (e.g. GraphQL) should be kept current to receive security fixes.

2. **Enable Production Settings**  
   - In ``lace.json`` set ``"errors.show_debug": false``.  
   - Apply IP whitelisting/blacklisting for internal endpoints such as ``/lace/dashboard`` or ``/lace/health``.

3. **Write Strict Validation Rules**  
   Use `RequestValidator` to enforce field types, lengths and custom business rules before any database or business logic runs.

4. **Review and Extend Your Middleware Stack**  
   Add extra guards (for example FrameGuardKnots or ContentSecurityPolicyKnots) as required by your application’s risk profile.

By combining these built-in protections with secure development practices (strong passwords, HTTPS everywhere, least-privilege permissions), you’ll have a robust defence against the vast majority of web application threats.

|
|