Yii2 Site Security Tips

Yii2 Site Security Tips
Yii2 Security


Yii2 Site Security Tips

List of Best Practices in order to get full security among Yii2 Applications.

Consider these following points in order to get best security in your Yii2 Application.

Filter Input:

  • Use yii2 form wherever possible
  • If you are not using yii2 form then validate the input by yourself.

File Upload Validation:

  • File extension validation
  • File mime type validation

Avoiding SQL injection:

  • SQL injection happens when query text is formed by concatenating unescaped (Used direct input variables in sql queries).

->where('status=:status', [':status' => $status]) ->all();


  • Avoiding XSS is quite easy in Yii. There are generally two cases:
    • You want data to be outputted as plain text.
      • If all you need is plain text then escaping is as easy as the following:
        <?= \yii\helpers\Html::encode($username) ?>
      • You want data to be outputted as HTML .
        If it should be HTML we could get some help from HtmlPurifier:
        <?= \yii\helpers\HtmlPurifier::process($description) ?>

Avoiding CSRF(Cross-site request forgery):

    • In order to avoid CSRF you should always:
      • Follow HTTP  specification i.e. GET should not change application state.
      • Keep Yii CSRF protection enabled.
    • Avoiding debug info and tools in production:
      • Never run production applications with YII_DEBUG set to true in your php.

Avoiding Host-header attacks:

If the webserver is configured to serve independent of the value of the Hostheader, this information may not be reliable and may be faked by the user sending the HTTP request. In such situations you should either fix your webserver configuration to serve the site only for specified host names or explicitly set or filter the value by setting the hostInfo property of the request application component.

If you don’t have access to the server configuration, you can setup yii\filters\HostControl filter at application level in order to protect against such kind of attack:

Avoid File exposure:

  • Deny access to everything except web

Headers Protection:

Follow these article below to set security headers

My .htaccess  setting are:

We can test security header of any site using this link: https://securityheaders.io/

I am a Sr. Android App, Web Developer & Blockchain Developer having 5 plus years of extensive hands-on experience in Object Oriented Programming, Database Design and Implementation using Agile & UML. Pro in Yii2 PHP Framework, Android App Development, MYSQL & a Blockchain development.

1 Comment

1 Comment

  1. MartinNet

    May 6, 2018 at 9:09 pm

    Hi All im noob here. Good article! Thx! Thx!

Leave a Reply

Your email address will not be published. Required fields are marked *

More in Yii2

Recent Posts




To Top