Does PW support OWASP

[mrkhan]

Hello,

i am developing one web application in PW and my customer want to know that does PW support all security measures in OWASP?

this is just for their website security and they want to be sure that their CMS is safe.

i hope many of you are aware of this and help me in this.

Thanks

[LostKobrakai]

I guess the question with ProcessWire is rather, does the code you create conform those suggestions? From a quick dash through their php cheatsheet it seems that the core is honoring a least most of those, but to be sure you'd need Ryan's answer.

[mrkhan]

Hello,

thanks for reply and yes i am looking for Ryan's answer on PW core.

Thanks

[teppo]

From a quick dash through their php cheatsheet it seems that the core is honoring a least most of those, but to be sure you'd need Ryan's answer.

Just did the same, and can't spot any issues either. We're already using prepared statements, sessions are securely implemented (especially if you enable the built-in database session manager), CSRF protection is in place, .htaccess prevents direct access to anything potentially harmful, etc.

Some of their suggestions are strongly opinionated, and in those cases we don't necessarily follow them and/or agree with them. For an example, OWASP suggests that a templating engine is "essential" for secure sites. Personally I call bullshit on that one, but if you really want to, you can install a templating engine as a separate module, thus making your site compliant with this suggestion.

Another point to note is that they (rightly) stress that all input is dirty, and no user input should ever be embedded on a site without proper sanitization. Because use cases differ, ProcessWire won't force sanitization on you, but it does make it very easy to implement by using the built-in Sanitizer, certain Textformatters, and field-level settings that automatically remove tags from content.

I would suggest checking out the security documentation, unless you've already done that. It should provide most of the details you need in order to build sites with ProcessWire securely.