1.8. Security
Zend Framework 3 follows best practices to provide you with a secure code base for your web sites. ZF3 creators release security patches once the community of users finds a problem. You can incorporate those fixes with a single command through Composer dependency manager.
Practice shows that using a framework for writing your website is more secure than using "pure" PHP, because you don't need to reinvent the wheel. Most security vulnerabilities in frameworks are already known and fixed by the community of users.
ZF3 provides the following features allowing to make your web site secure:
Entry Script (index.php) is the only PHP file accessible to web visitors. All other PHP files are located outside of Apache document root. This is much more secure than allowing everyone to visit any of your PHP scripts.
Routing allows to define strict rules on how an acceptable page URL should look like. If a site user enters an invalid URL in a web browser's navigation bar, he/she is automatically redirected to an error page.
Access control lists (ACL) and Role-Based Access Control (RBAC) allow to define flexible rules for granting or denying access to certain resources of your web site. For example, an anonymous user would have access to your index page only, authenticated users would have access to their profile page, and the administrator user would have access to site management panel.
Form validators and filters ensure that no unwanted data is collected through web forms. Filters, for example, allow to trim strings or strip HTML tags. Validators are used to check that the data that had been submitted through a form conforms to certain rules. For example, E-mail validator checks that an E-mail field contains valid E-mail address, and if not, raises an error forcing the site user to correct the input error.
Captcha and CSRF (Cross-Site Request Forgery) form elements are used for human checks and hacker attack prevention, respectively.
Zend\Escaper component allows to strip unwanted HTML tags from data outputted to site pages.
Cryptography support allows you to store your sensitive data (e.g. credentials) encrypted with strong crypt algorithms that are difficult to hack.