My first CI web app is now at the final stages. I've been reading articles about security for a while, especially the last couple of days. But now I want to seriously understand what the risks are specifically re: the CI 3.1.2 framework I'm using. I'd like to understand what I need to do to make this app as secure as possible.
In this app there is no important user information like credit card numbers or social security numbers used, much less stored in the db (MySql). But I'd like to be sure my app does not become a path into to my users' computer by others - or endanger my users' security in any other way.
Currently I am using query builder (in models) for all my db transactions. I am using XSS filtering and form validation in the logon controller. I expect I should add XSS filtering for all other user input instances as a matter of course. So far I can't wrap my brain around CSRF filtering and so hesitate to use it. I have no forms except for logon. All user events, mostly mouse clicks on elements, are reqistered with js/jq code and I use $(posts)'s and controller echoes for communicating with the server.
Ideally, I'd like to find an article that says
a) here are the risks for any web app. (I've actually read several of those.)
b) here's the risks that CI mitigates or eliminates automatically if you use . . . . And
c) here are the risks that I definitely need to competently configure my code to deal with- and perhaps advice on best practices.
Ideally, some of you longtime CI users know about a good article, book, video lecture or course like this out there someplace. If not maybe you could point me in whatever direction might get me headed where I'd like to go. Thanks in advance for any wisdom you could pass along.
