James Galley

Web application developer

PHP, Yii, MySQL, Node.js - JavaScript, HTML, CSS & SASS, jQuery - Linux, AWS & serverless

PHP web application security and maintenance

Web security is an essential component of any business's web presence, yet it is often an afterthought.

Businesses are often not aware of what their current security posture is, how secure (or otherwise) their websites or applications are, particularly over time as a website ages while technology - and threats - move on.

I'm committed to delivering the best practice web security principles for every project I work on, whether that's for a brand new application or website, or when I'm taking on an existing application for maintenance or new features.

Throughout my career as a PHP web developer, and now as a founder of the Manchester-based Digital Studio, Si Novi, I've always had a keen focus on web security and have always enjoyed assisting businesses with improving their web security, ensuring data privacy and in bringing visibility of security into your compliance processes.

So what does my approach to web security look like? There are several considerations I make:

Best practice security principles

I'm a firm believer in keeping up with current best practices and following authoritative sources on web security threats.

One of the best frameworks for considering web security is the OWASP foundation's top-10 security risks. This framework should be the foundation of every PHP developer's security considerations, as it lists the current most dangerous and prevalent web security risks, together with example attacks and mitigations. The OWASP top-10 is updated every few years, keeping your focus on the most serious threats.

I also keep up to date with the security features and best practice security techniques of the frameworks and applications I use, such as the Yii 2 PHP framework which itself takes web security very seriously.

PHP application architecture - security and privacy by design and by default

Building an PHP web application the right way is fundamental in making it secure. Choosing the right software, frameworks, hosting architecture and infrastructure will give you the best foundations for security, both at launch and ongoing throughout the lifetime of an application or website.

I'm a keen proponent of cloud hosting and infrastructure, using secure cloud-based services like AWS S3 for encrypted document storage and utilising network-level security such as AWS Web Application Firewall.

These considerations should be made in terms of your responsibilties for personal data under DPA and GDPR, as under the GDPR, data protection should come as standard:

The GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’.

In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.

Information Commissioner's Office [Source]

Regular maintenance

Vehicles in the UK are subject to an annual legal health check - the MOT - and what's more, you have to replace the tires, brakes, oil and top up the washer fluid now and again to make sure your car is running properly, and safely.

I believe that it's essential that websites and web applications should be treated the same way, with regular periodic checks and maintenance to keep them up to date.

Open source web software by its very nature is regularly updated, often in response to newly discovered security threats - but without maintaining and updating your website, you won't benefit from these improvements and your site may become vulnerable.

The underlying operating systems and programming languages on which your website or application lives is also a constantly changing environment. For example PHP version 5.6 is now end-of-life and obsolete, yet I still see many sites running this potentially dangerous version of PHP. New versions of PHP or JavaScript libraries can often introduce incompatibilities into your own website or application code, which will require regular maintenance to resolve.

The more regularly a website or web application is maintained and updated, the more secure it will be, and the less effort and investment will be required in the long-term.

Contact me to find out about the kind of support and maintenance contracts I can offer to keep your website running smoothly and securely.

Using the best security tools

There are numerous excellent third-party tools available online to review the security of your website or web application. I like to build the use of these tools into my development, DevOps and website maintanence processes so that I always have a good picture of my current security posture.

Regular checks using these kind of tools is an important process can identify new threats or new opportunities to utilise technology to make your website or application more secure

The excellent service securityheaders.com provides a score for your website's use of security headers. Configuring your website's security headers correctly can improve your resilience to attacks by giving you more control over what your website will allow users to do. Try testing your own site using securityheaders.com - if you see some red flags, contact me and we can work together to improve your security posture.


Finally, the unmeasurable factor in approaching web security is the experience, instincts and knowledge of a good PHP developer.

I've been doing this a long time, and I know where to look to find security vulnerabilities or where corners have been cut in PHP applications. I know how to price projects to include security considerations, and I wouldn't take on a project that was insecure - without having the opportunity to resolve those security issues first.

Every developer should have heard of Little Bobby Tables, published back in 2007. Some even have this testament to web security framed and hung on the wall...

To talk to me about securing or maintaining your PHP web application - or for a free quotation, please contact me: hello@jamesgalley.com.

To talk to me about securing or maintaining your PHP web application - or for a free quotation, please contact me: