Security

Running User

It is recommended to set the running user to a user with lower permissions, for example, consistent with the nginx running user. The running user is set in the user and group in config/server.php.
Similarly, the user for custom processes is specified through user and group in config/process.php.
It should be noted that the monitor process should not set a running user, as it requires elevated permissions to function properly.

Controller Specification

Only controller files should be placed in the controller directory or its subdirectories; other class files are prohibited. Otherwise, if the controller suffix is not enabled, class files may potentially be accessed illegally via URL, leading to unpredictable consequences.
For example, app/controller/model/User.php is actually a Model class but is incorrectly placed in the controller directory. If the controller suffix is not enabled, it would allow users to access any method in User.php through a URL like /model/user/xxx.
To completely eliminate this situation, it is strongly recommended to use the controller suffix to explicitly mark which files are controller files.

XSS Filtering

For generality, webman does not perform XSS escaping on requests.
Webman strongly recommends performing XSS escaping during rendering, rather than before storing.
Templates such as twig, blade, and think-template automatically execute XSS escaping without requiring manual escaping, making it very convenient.

Tip
If you perform XSS escaping before storing, it may likely cause compatibility issues with certain application plugins.

Preventing SQL Injection

To prevent SQL injection, it is advisable to use ORM, such as illuminate/database or think-orm, and try not to assemble SQL manually while using them.

Nginx Proxy

When your application needs to be exposed to external users, it is strongly recommended to add an nginx proxy in front of webman. This can filter some illegal HTTP requests and enhance security. Please refer to nginx proxy for specifics.