When I built this site, I chose to start from scratch for several reasons. I could've thrown something together using any one of the open source content management systems, but I've been down that road before. Once you customize a popular CMS, it becomes an outright burden to keep up with security fixes and other updates. It's convenient to have so many features and plugins at your disposal, but having thousands of lines of unused/inapplicable code with frequent vulnerability fixes can leave you with an uneasy feeling about what's creeping into each release. Once you have multiple sites in that state, maintaining them starts to feel cumbersome or, worse, like a second job. Additionally, I wanted the freedom to use the code in any project I work on whether I retain ownership of the finished product or not.
That's why I created the Core Web Application Libraries and released the code under the Apache License Version 2.0. They're a lightweight and flexible base for building small to medium-sized websites using PHP. I didn't want to build yet another "kitchen sink" solution that tries to appeal to all developers everywhere. My aim is to keep it lightweight so developers can become intimate with the code while providing enough flexibility that they can extend it to do whatever they want. Security is a primary focus and keeping the code lean makes it easier for anyone to audit at any time. It can't address all possibilities, of course, but my intention is to provide a secure foundation "out of the box" so that any additional measures the developer takes are icing on the cake.
The code isn't quite where I want it to be, but it's fully functional and close enough to welcome more eyes looking at it. To make it painless for developers to ramp up, I've also created two projects that leverage the libraries:
- Core Web Application Site is a "starter" website with a home page, about page, and a contact form. If the site you're building doesn't need to accept per-page comments from visitors or the sharing options, this is the perfect baseline for you.
- Core Web Application Blog is a minimalist blogging platform that includes a WYSIWYG blog post editor, tags, an RSS feed, and multiple sharing options. It also integrates with Disqus to allow visitors to leave comments. If you're building a blog (or any CMS-like site) but don't want the bulk that comes with popular alternatives, clone this project. You'll get a blog that's almost the same as mine while being easy to redesign to suit your tastes.
Some features provided by both projects include:
- Responsive design that works well at multiple screen resolutions on devices of all sizes.
- Search engine (and human!) friendly URLs with a consistent format: /controller/method/parameter
- Ability to return data in a variety of content types such as HTML, JSON, or Atom/RSS by creating new view templates.
- Includes structured data to improve indexing by search engines.
- Error pages match the site design and can be easily customized for all errors or by HTTP status code.
- Site Admin section with multiple tools to facilitate common tasks:
- Code Editor for minor ad-hoc changes
- DB Administrator to perform queries and database backups
- Log Viewer with filtering options
- QA Assistant to review methods, parameters, and permissions
- Lightweight and flexible base classes make it easy to master and extend the code.
- Uses the MVC design pattern and other web application best practices.
- Many built-in protections against common web application vulnerabilities/exploits:
- Primarily uses prepared statements to deter SQL injection attacks.
- Clickjacking defenses encompass multiple headers as well as JavaScript.
- Automatic sanitization of simple variables passed to views and easy sanitization of other content to defend against cross-site scripting (XSS).
- Cross-site request forgery (CSRF) prevention using the synchronizer token pattern for all POST requests.
- Role-based method access is straightforward to configure and a cinch to validate with the QA Assistant.
- User passwords are stored strongly hashed and salted.
- Full session teardown and recreation upon login to inhibit session fixation.
- Sessions are pinned to the user's IP and user agent string to thwart hijacking.
I look forward to getting feedback and improving these projects over time. If you find a bug or have a feature request, please submit it on the appropriate GitHub project page. If you build a site using one of these projects, I'd love to hear about it. Please contact me or add a comment below.