I saw this question in a forum once and I think I should add this to my website with an answer.

Is the Zend Framework a secure option for a web application with authentication and authorization?

Well, the simple answer is yes, there is some security with the Zend Framework but this could be very misleading and dangerous. Hence, what follows is a more detailed answer to this important question. Surprisingly, most of it has nothing to do with the Zend Framework but security in general.

Security is your responsibility

One thing has to be addressed first. Security for a website, a web application is your responsibility or delegated to somebody who knows and understands security like me. Dead simple.

Delegating or relying on an application doing it for you in some fancy or magic way is flat out dangerous. This is not only a nail in to the coffin for the Zend Framework but for any website and application—WordPress, Joomla, Drupal, PHP, Perl, Ruby, ASP you name it.

Even straight and simple HTML. If you don't protect access to your simple HTML pages somebody might be able to change the content. This might be little damage and not a big deal but still—it shows where the problem is.

Communication layers

To understand security we have to understand the different levels of access control. Lets call them layers for a few paragraphs, though.

OSI Model

In networking there is a model called OSI, which stands for Open Systems Interconnection. For a brief introduction into the OSI model you can read more about it on Wikipedia.

The model has seven (7) layers and each layer defines how computer systems communicate with each other on that particular layer. Interesting part here is that we are more or less able to control access on each and every layer.

Firewalls

Over a few of these layers we can control access with what is commonly known as a firewall. There are other types of applications doing similar things, i.e. control access, but are not necessarily called firewalls. Be careful here when you talk to networking pros—they are sometimes a little peculiar.

Application control

Which brings us to the top layer in our OSI Model, the application layer.

Now strictly speaking this application layer does not apply to an application like the Zend Framework but your web server and HTTP. The OSI model is about the communication between computer systems and they talk HTTP with each other.

If you are familiar with a web server like Apache, nginx or IIS you know that you have quite a few options to control access with your web server.

File System Security

Which brings us to another layer of security but lets go back to level now. Once we have reached our web server we have to control access on the file system level.

WWW root

A major problem I see with many hosting providers and applications is that your directory where all your files are is also the www root folder.

When all your application files are in the web's root folder it is easy to understand that this is not good, I think. See below why the Zend Framework in this regard is different. Now, although you will not list your application's files publicly they are still there.

If it is a well known application people will know it anyway and when you don't take any other precautions to prevent access you are asking for troubles.

Many hosting providers offer an easy installation for web applications like WordPress, Joomla, phpMyAdmin and the installation goes right into this www root folder. Because these are very well known applications their file structures are well known and any vulnerabilities. Go figure!

Vulnerability example

Want an example? My website gets constantly probed to see if I have WordPress or phpMyAdmin installed. The file names are well known and they are well exposed; sometimes even intentional like the wp-login.php file.

Nothing wrong with this wp-login.php file actually except that everybody knows. I can only imagine what will happen if they would find any of these on my servers.

First you should really avoid having your application and files in your www root. If this is not an option with your current hosting provider you should seriously consider moving to another provider or make absolutely sure these files are not accessible and protect them with appropriate file system security.

Data and database security

Most applications today use a database in one way or another. However, many users have little to absolutely no knowledge about databases and database security. They follow some standard procedures or recommendations like installing phpMyAdmin without knowing how to use it exactly, i.e. they install it but don't use it. Sad but true I've seen it.

Like I mentioned in the example above my website gets constantly probed for phpMyAdmin. For good reasons because a surprising high number uses this application and with direct access from the Internet.

What about the Zend Framework

If you came here to know if the Zend Framework is a secure application I hope the introduction showed you where your main concern should be. You should be familiar and comfortable with security on many levels.

If you want to rely for security on a web application alone like the Zend Framework, WordPress, Joomla or which ever you are living a dangerous Internet presence.

Know your application and know how to install and operate it in a secure way.

More secure than others

The Zend Framework for me is more secure than other web applications for two very simple reasons.

First you have to download and install it yourself. You don't see any Install button like you see that for WordPress and others. So far I have not seen any of the common hosting providers offering an easy-peasy-lemon-squeezy Zend Framework installation. There are others, like me with my Zend Develoment Services, who offer tailored and ready to use installations but that's a different story.

Second reason and where the Zend Framework is a little bit different is the clear separation between the public www root folder and the application plus library folder. There is the bar minimum of a index.php in your www root folder and everything else is outside of view to the public by default.

Authentication and authorization

Last but not least you have a pretty strong authentication library in the Zend Framework.

The tiny little problem here is that it is only a library and not a finished and ready to use module you pop into your application. You have to write your own access and authentication procedure but with the help of the library you can build your own security package very quickly.

The good thing about this is that it is your own implementation which gives little clues on how it actually works. Nobody will know if there are any vulnerabilities like a default admin account with a default password.

Need help?

If you need any help with the Zend Framework in terms of setup, hosting and security I will be more than happy to help. See my Contact page and use the contact form to get a quote.