Discussion about TALL vs pure HTML, CSS, JS, PHP

@Snapey I'm not sure. For me coding with Laravel is safer than coding with pure PHP.

The argument of the guy I talked with is that a framework has a lot of code, a lot of packages, ... and so more possibilities of security flaw.

@vincent15000 i refer you to @mohamedtammam reply

@Snapey @mohamedtammam I agree with you both, I was just interested in having another opinion.

@vincent15000 Humans aren’t infallible. If you for example wrote a login system from scratch then it may have a vulnerability, that could go undetected for a long period of time, and if discovered might be exploited until you discovered someone was exploiting it (if you discover it at all).

Now consider something that’s open source and popular like Laravel. It’s got perhaps hundreds of thousands of developers using it. Any issues are quickly spotted and patched. You essentially have many colleagues for free using open source software.

Unfortunately, there’s no mutual exclusivity between writing something versus using off the shelf, and “secureness”. Some open source code is “secure”, other open source code is not. Some hand-written code is “secure”, other hand-written code is not. Security is also a lot more than some PHP code. You’ve got to think about networking, client-side concerns like XSS, session hijacking, etc.

@vincent15000 I trust laravel and the packages it comes with.

However if authorization and authentication and other laravel security is not correctly implemented, then that app isn't secure.

However when correctly implemented, laravel is very secure.

Just a guess, but there's probably hundreds or more wrong installs where the .env file is exposed.

That is not laravel's fault, but people that don't follow the documentation and correct security practices.

I have seen post where folks in the top 50 who is answering has all but begged the person to setup laravel correctly, instead they use some youtube video that is an incorrect install.

@jlrdw I have always followed the documentation to install correctly (I hope correctly) Laravel.

And there are some very useful series here on Laracast.

When you say where the .env file is exposed, what do you mean ? For me the .env file cannot be exposed if the Laravel project folder is correctly installed on the server so that you can only access to public folder ... sure unless somebody can access to the server.

@vincent15000 his point is that code vulnerabilities are only one facet of security. There are many things that a bad developer can do with good code to make it insecure, which is also the point martin was making

@vincent15000 That particular example is from when people want to install Laravel on a shared server and just upload everything to the root directory, meaning that anyone can see the .env file. Just one way a Laravel installation can be made very non-secure by the developer if they don’t know what they’re doing.

@kokoshneta What you probably mean is that some shared servers are accessible by all users of this shared server ?

That's strange ... I already installed Laravel on a shared webhosting, but the access is secured by the webhoster so that each user has its own folder accessed only by him.

There are probably other examples of unsecure sahred webhosting ... it would be crazy to upload all datas and let them accessible by other users on this type of webhosting.

I'm always very careful about how I install Laravel on webhostings because I have a lack of knowledge about web server and system administration, so I always take precautions, hopely the good choices.

@vincent15000

What you probably mean is that some shared servers are accessible by all users of this shared server ?

no, thats not what he means. We would hope the hosting company knows how to isolate its users. But too many inexperienced devs just dump their entire project into the public_html folder

@Snapey That's definitely not a good idea, fortunately I don't do like that.

@vincent15000 no one was suggesting that you do

@Snapey No worry, I didn't say that you told that ;).

@vincent15000

He told me that, according to him, if I really need a secure application, I shouldn't use any framework and just develop it with pure HTML, CSS, JS, PHP.

Here's the point:

Even php can have vulnerabilities, they also have patches.

So what that person said is not correct.

Just be aware there are some packages on Github not to trust.

Stick with known good safe packages.

I programmed in java for years, servlets, jsp, classes, but even in java you have to look for patches if there is a problem with some security. That's the case for all languages, python, node js, all.

Re-read the deployment chapter in the documentation.

Edit:

Do things like Jeffrey and Taylor does and you are good to go.