What is security?
Safety is a relative measure, not an absolute standard.
Unfortunately most software projects list security as a simple requirement. Is it safe? The answer to this question is as subjective as asking whether something is hot.
The overhead to achieve security should be reasonable.
Achieving an adequate level of security is simple and inexpensive for most applications. However, if the information that needs to be protected is very valuable or the security requirements are very stringent, you need to pay more to increase the security level. This cost should be included in the project's budget.
Ease of use should be reasonable to achieve security.
A very common phenomenon is that while the security of a WEB application is greatly increased, the ease of use is also greatly reduced. Passwords, SESSION expiration times, and access controls will all cause obstacles to legitimate users. Sometimes it is necessary to provide appropriate security for an application, but this is not the only solution for all applications. It's wise to pay more attention to legitimate users when enforcing security rules.
Security must be part of the design.
If you don't consider security when designing your application, you're destined to continually find new security vulnerabilities. Carefully written programs cannot make up for poor design.
The basic steps in the application are mostly for the sake of legitimate users.
A secure design is only part of the solution. During development, when coding begins, it is necessary to consider the legitimate users of the application. Generally, the goal is to make the application work as intended, while it is necessary to implement an appropriate application functionality, which does not make the application more secure.
Train yourself.
Those of you who are reading this guide are concerned about security, and although it sounds like a cliché, this is a critical step. There are numerous resources available on the web or in books, and many are included in the PHP Security Alliance's repository: http://phpsec.org/library/ .
First, filter all external data.
Data filtering is the cornerstone of WEB application security in any language and on any platform. Initializing variables and filtering all data obtained from the outside allows you to get twice the result with half the effort, and at a low cost, the manager prevents possible major security vulnerabilities. A whitelist is better than a blacklist. This means that all data should be considered illegal until it can be proven legitimate (better than considering all data legal until it can be proven illegal).