Web Application Security

Hi folks.

I was wondering if the basic skeleton of web application generated by yiic tool is secure enough for big sites. On big sites I mean, lets say, up to 10.0000 visits per day. Small sites don’t call much hacker attention, like big ones.(Am I wrong?) So I was thinking about the security issues.

Maybe separate the config files, runtime, components, models and controllers under the non public folder, and the views on the public, instead of just protecting the files with a htaccess.

What do you think about it? Should I concern about It? I just got a big project and want to start right to won’t waste extra time afterwards.

Best regards!

There is no difference at all in protecting with htaccess or by "separate under the non public folder".

For security issues read this part of the definitive guide, where is explain how to prevent XSS and CSRF attacks.

Remeber, developing a ‘small’ site is not a good reason for work unsafe! Be carefull anyway

Thanks dude. I will read the article. thanks!

Well, protecting folders using htaccess is related only to apache and therefore to the web front end of the application. If you also provide other ways to the data, let’s say FTP or maybe even some sort of restricted shell access, it might be worth separating parts of the appication that shouldn’t be accessed.

As far as I can remember, you can move the whole “protected” folder out of apache’s document root…

But to be honest: I’ve never tried it, and I think there are more important security tasks you’ll have to keep an eye on. However, it depends on what you’re planning to do.

Yeah… maybe I’m forgetting a lot of things… but I will study it more.

I always move ‘protected’ folder out of document root. Just need to edit the path to this folder in index.php (or any scripts you’re going to call).