Black Friday: 40% off Bifrost Hela & Thor plans • Code: BLACKFRIDAY40
Ends in:
d
h
m
s

Security

#Security

Although NativePHP tries to make it as easy as possible to make your application secure, it is your responsibility to protect your users.

#Secrets and .env

As your application is being installed on systems outside your/your organisation's control, it is important to think of the environment that it's in as potentially hostile, which is to say that any secrets, passwords or keys could fall into the hands of someone who might try to abuse them.

This means you should, where possible, use unique keys for each installation, preferring to generate these at first-run or on every run rather than sharing the same key for every user across many installations.

Especially if your application is communicating with any private APIs over the network, we highly recommend that your application and any API use a robust and secure authentication protocol, such as OAuth2, that enables you to create and distribute unique and expiring tokens (an expiration date less than 48 hours in the future is recommended) with a high level of entropy, as this makes them hard to guess and hard to abuse.

Always use HTTPS.

If your application allows users to connect their own API keys for a service, you should treat these keys with great care. If you choose to store them anywhere (either in a file or Database), make sure you store them encrypted and decrypt them only when needed.

#Secure Storage

NativePHP provides access to your users' device's native Keystore/Keychain through the SecureStorage facade, which allow you to store small amounts of data in a secure way.

The device's secure storage encrypts and decrypts data on the fly and that means you can safely rely on it to store critical things like API tokens, keeping your users and your systems safe.

This data is only accessible by your app and is persisted beyond the lifetime of your app, so it will still be available the next time your app is opened.

#When to use the Laravel Crypt facade

When a user first opens your app, NativePHP generates a unique APP_KEY just for their device and stores it in the device's secure storage. This means each instance of your application has its own encryption key that is securely stored on the device.

NativePHP securely reads the APP_KEY from secure storage and makes it available to Laravel. So you can safely use the Crypt facade to encrypt and decrypt data!

This is great for encrypting larger amounts of data that wouldn't easily fit in secure storage. You can encrypt values and store them in the file system or in the SQLite database, knowing that they are safe at rest:

Copied!
use Illuminate\Support\Facades\Crypt;
 
$encryptedContents = Crypt::encryptString(
    $request->file('super_private_file')
);
 
Storage::put('my_secure_file', $encryptedContents);

And then decrypt it later:

Copied!
$decryptedContents = Crypt::decryptString(
    Storage::get('my_secure_file')
);
Previous
EDGE Components: Icons
Next
Authentication
Edit this page on GitHub