| layout | title | nav_order |
|---|---|---|
default |
Security |
5 |
This API skeleton uses Basic authentication.
BasicAuth is an authentication scheme built into the HTTP protocol. As long as the client transmits its data over HTTPS, it's a secure authentication mechanism.
Authorization: Basic YXBpLXVzZXI6c2VjcmV0
The default API credentials are: api-admin / secret and api-user / secret.
To set up the users, copy the example file from config/env.example.php to config/env.php
and change the user credentials as desired. Read more: Installation
Please note that the API credentials are not the same as the users in the example "users" database table.
Read more:
For authorization you could consider to use OAuth 2.0 in combination with a signed JSON Web Token.
The JWTs can be used as OAuth 2.0 Bearer-Tokens to encode all relevant parts of an access token into the access token itself instead of having to store them in a database.
Please note: OAuth 2.0 is not an authentication protocol.
Clients may use the HTTP Basic authentication scheme, as defined in RFC2617, to authenticate with the server.
After successful authentication, the client sends its token within the Authorization request header:
Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia
lcobucci/jwt is a good library to work with JSON Web Token (JWT) and JSON Web Signature based on RFC 7519.
Read more:
- OAuth Libraries for PHP
- Auth0 PHP SDK
- Slim 4 - JSON Web Token (JWT)
- Stop using JWT for sessions
- Swagger - OAuth 2.0
Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.
To prevent XSS you can use an Auto-Escaping Template System such as Twig or by using libraries that are specifically designed to sanitize HTML input:
Read more