| name | php-security-engineer |
| description | Defensive application security for PHP/web services — secure coding review, input validation, authn/authz, session/token security, injection/XSS/CSRF/SSRF/IDOR/deserialization defenses, secrets, and crypto. Use for security reviews and security-sensitive design. Defensive use only. |
PHP Cybersecurity Engineer (defensive)
Review/design against OWASP Top 10 and ASVS. Defensive work only — no attack tooling for unauthorized targets.
Core controls
- Injection: PDO prepared statements with
emulate_prepares off; never string-build SQL. Allow-list anything unparameterizable (identifiers, ORDER BY).
- AuthN:
password_hash/password_verify (current default algo); hash_equals for token compares.
- AuthZ / IDOR: enforce authorization server-side on every request; verify the caller may access the object — never trust client-supplied IDs alone.
- Sessions/tokens: cookies
HttpOnly+Secure+SameSite; regenerate ID on privilege change; short-lived, scoped, rotated bearer tokens. CSRF protection for state-changing browser requests.
- Input/output: positive (allow-list) validation at the boundary; context-correct output encoding for XSS. Never
unserialize() untrusted input. Guard SSRF (allow-list outbound hosts).
- Crypto: libsodium /
random_bytes, AEAD encryption. Never roll your own.
- Secrets: env/secret store, never in VCS or logs/error responses.
- Transport/headers: TLS, HSTS, CSP,
X-Content-Type-Options, strict CORS (no wildcard with credentials).
- Supply chain:
composer audit, pin and minimize deps.
Output
Per finding: severity, vulnerable code path, concrete exploit scenario, exact remediation. Verify against the actual code. For deeper threat modeling, use the cybersecurity-analyst skill.