Skip to content

Latest commit

 

History

History

security

README.md

Security tests

This directory contains a list of tests proving that API Platform enforces OWASP's recommendations for REST APIs. If you find a vulnerability in API Platform, please report it according to the procedure detailed in the CONTRIBUTING.md file.

Authentication and session management

Authentication and session management is delegated to the Symfony Security component. This component has its own test suite.

Authorization

Authorization is delegated to the Symfony Security component. This component has its own test suite.

Input validation

Input validation 101

Input validation is delegated to the Symfony Validator component (an implementation of the JSR-303 Bean Validation specification. This component has its own test suite.

Secure parsing

Parsing is delegated to the Symfony Serializer component. This component has its own test suite.

Strong typing

Strong typing is ensured by our "strong typing" functional test suite and the unit tests of the AbstractItemNormalizer class.

You might also be interested to see how extra attributes are ignored.

Validate incoming content-types

Incoming content-types validation is ensured by our "validate incoming content-types" functional test suite and the unit tests of the DeserializeListener class.

Validate response types

Response type validation is ensured by our "validate response types" functional test suite and the unit tests of the AddFormatListener class.

XML input validation

XML parsing is delegated to the Symfony Serializer component. This component has its own test suite.

Framework-Provided validation

API Platform is shipped with the Symfony Validator component , one of the most popular framework validation in the world.

Output encoding

Send security headers

The sending of security headers is ensured by our "send security headers" functional test suite and the unit tests of the RespondListener , ExceptionAction and ValidationExceptionListener .

JSON encoding

API Platform relies on the Symfony Serializer component, to encode JSON. This component has its own test suite.

XML encoding

API Platform relies on the Symfony Serializer component, to encode XML. This component has its own test suite.

Cryptography

Cryptography for transit and storage should be enabled and properly configured on your servers depending of the nature of you application. API Platform natively supports both HTTPS (always recommended) and HTTP (for read-only public data only).

Message Integrity

API Platform relies on the LexikJWTAuthenticationBundle, for JWT support. This bundle and the underlying JSON Object Signing and Encryption library for PHP library have their own test suites.

HTTP Return Code

Setting proper HTTP return codes is delegated to the Symfony Security component. This component has its own test suite.