Anchor provides comprehensive security features to protect your application against common web vulnerabilities. This guide covers the frameworks approach to securing data, identities, and resources.

• APP_KEY generated and secured (php dock make:key)
• HTTPS enabled (APP_SECURE=true)
• Debug mode disabled (APP_DEBUG=false)
• CSRF protection enabled in App/Config/default.php
• Security headers middleware enabled in App/Config/middleware.php
• Strong password policies enforced in App/Requests
• File upload validation implemented using moveSecurely()
• Database credentials secured in .env
• Firewall thresholds set appropriately in App/Config/firewall.php

• All user input validated via Request classes
• Output escaped in views using <?= $this->escape($var) ?>
• Parameterized queries used via the Query Builder
• Passwords hashed with Argon2ID via enc()->hashPassword()
• Sensitive data encrypted at rest using encrypt()
• Authorization checks implemented via $this->auth->isAuthorized()

Anchor protects against Cross-Site Request Forgery by default for all state-changing requests (POST, PUT, DELETE). It uses constant-time comparisons (hash_equals) for both the token and the origin-check hash to prevent timing attacks.

// In forms
<form method="POST">
    <?php echo $this->csrf(); ?>
    <!-- form fields -->
</form>

// In AJAX (using the global helper)
fetch('/api/endpoint', {
    headers: {
        'X-CSRF-Token': '<?= csrf_token() ?>'
    }
});

Configuration: App/Config/default.php → csrf

The framework core utilizes PDO with parameterized queries for all database operations, making SQL injection nearly impossible when using standard methods.

// Safe - uses bindings automatically
User::query()->where('email', '=', $email)->first();

// Safe - manual bindings for complex queries
DB::query("SELECT * FROM users WHERE status = ?", ['active'])->get();

Anchor provides multi-layered XSS protection:

• Output Escaping: The view system provides $this->escape() for safe output.
• Security Headers: Middleware adds X-XSS-Protection and X-Content-Type-Options headers.

// Safe - automatically escaped if using the escape method
<?= $this->escape($user->bio) ?>

// Unsafe - use ONLY for trusted content
<?= $user->html_content ?>

Anchor uses Argon2ID for password hashing, which is the current industry standard.

Use the enc() helper to handle password operations securely:

// Hash a password using Argon2ID
$hashedPassword = enc()->hashPassword('secure-password');

// Verify a password
if (enc()->verifyPassword('input-password', $hashedPassword)) {
    // Valid
}

Verify a user's status and permissions through the AuthManager:

// Check if user is logged in
if ($this->auth->isAuthenticated()) { ... }

// Check route-level authorization
if ($this->auth->isAuthorized($route)) { ... }

Anchor provides high-level drivers for data and file encryption:

• Strings: AES-256-GCM (via encrypt() / decrypt())
• Passwords: Argon2ID (via enc()->hashPassword())
• Files: PBKDF2 with high iteration counts.

// Encrypt sensitive string data
$encrypted = encrypt('personal-info');

// Decrypt
$decrypted = decrypt($encrypted);

The Firewall system protects against brute force attacks and malicious traffic.

The firewall is automatically integrated into the authentication flow via system events:

• LoginEvent: Resets the failure counter upon success (LoginListener).
• LoginFailedEvent: Increments the failure counter and triggers blocks (LoginFailedListener).

You can also trigger firewall checks manually in your services or controllers:

use Security\Firewall\Drivers\AccountFirewall;

$firewall = resolve(AccountFirewall::class);

$firewall->user(['id' => $userId])->handle();

if ($firewall->isBlocked()) {
    // Return error or redirect
}

Never trust user-supplied filenames or MIME types. Use the moveSecurely() method on uploaded files.

$path = $file->moveSecurely('/uploads/avatars', [
    'type' => 'image',             // Validation against actual file content
    'maxSize' => 2 * 1024 * 1024,  // 2MB
    'extensions' => ['jpg', 'png'] // Only allow these extensions
]);

The framework prevents open redirect vulnerabilities by validating redirect URLs. By default, Response::redirect() only allows URLs internal to your application.

// Safe - internal URL
return $this->response->redirect('/dashboard');

// Blocked by default - external URL
return $this->response->redirect('https://malicious.com');

// Explicitly allow external redirect
return $this->response->redirect('https://trusted-site.com', 302, true);

Anchor provides utilities to ensure file operations stay within allowed directory trees, preventing ../ traversal attacks.

use Helpers\File\Paths;

// Resolves path and throws exception if it traverses outside the project root
$safePath = Paths::securePath($userInputPath);

// Verify if a path is within a specific base
if (FileSystem::isWithin($path, storage_path())) {
    // Authorized access
}

Sessions are secured using several techniques:

• Database Storage: Prevents session hijacking via local file access.
• Secure Cookies: http_only, secure, and SameSite=Lax are defaults.
• Rotation: SessionGuard automatically regenerates the session ID upon login and logout to prevent fixation attacks.

Anchor's security architecture supports compliance standards including GDPR, PCI DSS, and HIPAA through its implementation of encryption at rest, secure data handling, and comprehensive auditing.