Security & Common Attacks

Attack Type	How LacePHP Defends
SQL Injection	All database access goes through PDO + prepared statements in the QueryBuilder. Parameters (? bindings) never get interpolated directly into SQL.
Cross-Site Scripting (XSS)	ShoeRequest sanitises incoming data by stripping HTML tags and null bytes. Developers should still use htmlspecialchars() when rendering untrusted content.
Cross-Site Request Forgery (CSRF)	Built-in CSRF token generation in ShoeRequest (one per session). Use validateCsrf() on state-changing requests and csrfField() in your forms.
Mass Assignment / Overposting	Models declare a $fillable whitelist—only those attributes are written by save().
Session Hijacking	Sessions start under PHP’s secure defaults in ShoeRequest. You may harden cookie flags via middleware or your php.ini.
File-Upload Attacks	ShoeRequest sanitises the $_FILES array (strips dangerous filenames). Add MIME-type and size checks in your upload handlers.
Directory Traversal / LFI	The view loader only includes from two fixed folders (weave/Views or shoebox/views). The autoloader only resolves PSR-4 prefixes—no arbitrary require calls.
Remote Code Execution	No eval() of user input. All shell commands (scheduler tasks, deploy hooks) originate from your code, never from user data.
Clickjacking	You can add custom middleware (e.g. FrameGuardKnots) to set X-Frame-Options. CorsKnots handles CORS but not frame-ancestors policies.
Rate-Limiting / DoS	RateLimitKnots enforces per-IP request limits. ShoeCacheKnots caches GET responses on disk when enabled, reducing load.
Configuration Leakage	All secrets live in .env (never committed). config() merges env values into arrays without exposing raw files.
Sensitive-Data Exposure	Error templates only show stack traces when errors.show_debug is true in lace.json. Always disable debug in production.
Open Redirects	Router dispatches only to your defined handlers—no generic “redirect to URL” patterns.
Insecure Deserialization	JSON decoding in ShoeRequest is only used for known API endpoints; no unserialize() on untrusted data.

How to Make Sure You’re Covered

1. Keep Dependencies Updated Even though LacePHP ships with minimal internal components, any third-party library (e.g. GraphQL) should be kept current to receive security fixes.

2. Enable Production Settings - In lace.json set "errors.show_debug": false. - Apply IP whitelisting/blacklisting for internal endpoints such as /lace/dashboard or /lace/health.

3. Write Strict Validation Rules Use RequestValidator to enforce field types, lengths and custom business rules before any database or business logic runs.

4. Review and Extend Your Middleware Stack Add extra guards (for example FrameGuardKnots or ContentSecurityPolicyKnots) as required by your application’s risk profile.

By combining these built-in protections with secure development practices (strong passwords, HTTPS everywhere, least-privilege permissions), you’ll have a robust defence against the vast majority of web application threats.