CINXE.COM

<!DOCTYPE html> <html class="client-nojs vector-feature-language-in-header-disabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-disabled skin-theme-clientpref-day vector-toc-available" lang="en" dir="ltr"> <head> <meta charset="UTF-8"> <title>Security for developers - MediaWiki</title> <script>(function(){var className="client-js vector-feature-language-in-header-disabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-disabled skin-theme-clientpref-day vector-toc-available";var cookie=document.cookie.match(/(?:^|; )mediawikiwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""], "wgDefaultDateFormat":"dmy","wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"ccf62e83-65c7-4006-bedc-de04654b67d5","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Security_for_developers","wgTitle":"Security for developers","wgCurRevisionId":6603658,"wgRevisionId":6603658,"wgArticleId":37736,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["Development guidelines","Security"],"wgPageViewLanguage":"en","wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Security_for_developers","wgRelevantArticleId":37736,"wgIsProbablyEditable":true,"wgRelevantPageIsProbablyEditable":true,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgNoticeProject":"mediawiki","wgCiteReferencePreviewsActive":true,"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true, "wgVisualEditor":{"pageLanguageCode":"en","pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":10000,"wgTranslatePageTranslation":"source","wgCentralAuthMobileDomain":false,"wgEditSubmitButtonLabelPublish":true,"wgDiscussionToolsFeaturesEnabled":{"replytool":true,"newtopictool":true,"sourcemodetoolbar":true,"topicsubscription":false,"autotopicsub":false,"visualenhancements":false,"visualenhancements_reply":false,"visualenhancements_pageframe":false},"wgDiscussionToolsFallbackEditMode":"visual","wgULSPosition":"personal","wgULSisCompactLinksEnabled":true,"wgVector2022LanguageInHeader":false,"wgULSisLanguageSelectorEmpty":false,"wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform","platformVersion"]};RLSTATE={"ext.globalCssJs.user.styles":"ready","site.styles":"ready" ,"user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading","ext.translate.tag.languages":"ready","ext.pygments":"ready","ext.tmh.player.styles":"ready","ext.discussionTools.init.styles":"ready","oojs-ui-core.styles":"ready","oojs-ui.styles.indicators":"ready","mediawiki.widgets.styles":"ready","oojs-ui-core.icons":"ready","skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","ext.translate.edit.documentation.styles":"ready","ext.translate":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.pt":"ready","wikibase.client.init":"ready","ext.wikimediaBadges":"ready"};RLPAGEMODULES=["ext.pygments.view","mediawiki.page.media","ext.tmh.player","site","mediawiki.page.ready","mediawiki.toc","skins.vector.js","ext.centralNotice.geoIP","ext.centralNotice.startUp","ext.translate.pagetranslation.uls","ext.urlShortener.toolbar", "ext.centralauth.centralautologin","mmv.bootstrap","ext.visualEditor.desktopArticleTarget.init","ext.visualEditor.targetLoader","ext.echo.centralauth","ext.discussionTools.init","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.compactlinks","ext.uls.interface","ext.checkUser.clientHints"];</script> <script>(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); }];});});</script> <link rel="stylesheet" href="/w/load.php?lang=en&modules=ext.discussionTools.init.styles%7Cext.pygments%2Ctranslate%2CwikimediaBadges%7Cext.tmh.player.styles%7Cext.translate.edit.documentation.styles%7Cext.translate.tag.languages%7Cext.uls.pt%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediamessages.styles%7Cmediawiki.widgets.styles%7Coojs-ui-core.icons%2Cstyles%7Coojs-ui.styles.indicators%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles%7Cwikibase.client.init&only=styles&skin=vector-2022"> <script async="" src="/w/load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector-2022"></script> <meta name="ResourceLoaderDynamicStyles" content=""> <link rel="stylesheet" href="/w/load.php?lang=en&modules=site.styles&only=styles&skin=vector-2022"> <meta name="generator" content="MediaWiki 1.44.0-wmf.5"> <meta name="referrer" content="origin"> <meta name="referrer" content="origin-when-cross-origin"> <meta name="robots" content="max-image-preview:standard"> <meta name="format-detection" content="telephone=no"> <meta property="og:image" content="https://upload.wikimedia.org/wikipedia/commons/thumb/6/69/MediaWiki_Security.ogv/1200px--MediaWiki_Security.ogv.jpg"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="675"> <meta property="og:image" content="https://upload.wikimedia.org/wikipedia/commons/thumb/6/69/MediaWiki_Security.ogv/800px--MediaWiki_Security.ogv.jpg"> <meta property="og:image:width" content="800"> <meta property="og:image:height" content="450"> <meta property="og:image" content="https://upload.wikimedia.org/wikipedia/commons/thumb/6/69/MediaWiki_Security.ogv/640px--MediaWiki_Security.ogv.jpg"> <meta property="og:image:width" content="640"> <meta property="og:image:height" content="360"> <meta name="viewport" content="width=1120"> <meta property="og:site_name" content="MediaWiki"> <meta property="og:title" content="Security for developers - MediaWiki"> <meta property="og:type" content="website"> <link rel="preconnect" href="//upload.wikimedia.org"> <link rel="alternate" media="only screen and (max-width: 640px)" href="//m.mediawiki.org/wiki/Security_for_developers"> <link rel="alternate" type="application/x-wiki" title="Edit" href="/w/index.php?title=Security_for_developers&action=edit"> <link rel="apple-touch-icon" href="/static/apple-touch/mediawiki.png"> <link rel="icon" href="/static/favicon/mediawiki.ico"> <link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="MediaWiki (en)"> <link rel="EditURI" type="application/rsd+xml" href="//www.mediawiki.org/w/api.php?action=rsd"> <link rel="canonical" href="https://www.mediawiki.org/wiki/Security_for_developers"> <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <link rel="alternate" type="application/atom+xml" title="MediaWiki Atom feed" href="/w/index.php?title=Special:RecentChanges&feed=atom"> <link rel="dns-prefetch" href="//meta.wikimedia.org" /> <link rel="dns-prefetch" href="//login.wikimedia.org"> </head> <body class="ext-discussiontools-replytool-enabled ext-discussiontools-newtopictool-enabled ext-discussiontools-sourcemodetoolbar-enabled skin--responsive skin-vector skin-vector-search-vue mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject mw-editable page-Security_for_developers rootpage-Security_for_developers skin-vector-2022 action-view"><a class="mw-jump-link" href="#bodyContent">Jump to content</a> <div class="vector-header-container"> <header class="vector-header mw-header"> <div class="vector-header-start"> <nav class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-dropdown" class="vector-dropdown vector-main-menu-dropdown vector-button-flush-left vector-button-flush-right" > <input type="checkbox" id="vector-main-menu-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-main-menu-dropdown" class="vector-dropdown-checkbox " aria-label="Main menu" > <label id="vector-main-menu-dropdown-label" for="vector-main-menu-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-menu mw-ui-icon-wikimedia-menu"></span> <span class="vector-dropdown-label-text">Main menu</span> </label> <div class="vector-dropdown-content"> <div id="vector-main-menu-unpinned-container" class="vector-unpinned-container"> <div id="vector-main-menu" class="vector-main-menu vector-pinnable-element"> <div class="vector-pinnable-header vector-main-menu-pinnable-header vector-pinnable-header-unpinned" data-feature-name="main-menu-pinned" data-pinnable-element-id="vector-main-menu" data-pinned-container-id="vector-main-menu-pinned-container" data-unpinned-container-id="vector-main-menu-unpinned-container" > <div class="vector-pinnable-header-label">Main menu</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-main-menu.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-main-menu.unpin">hide</button> </div> <div id="p-navigation" class="vector-menu mw-portlet mw-portlet-navigation" > <div class="vector-menu-heading"> Navigation </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mainpage-description" class="mw-list-item"><a href="/wiki/MediaWiki" title="Visit the main page [z]" accesskey="z"><span>Main page</span></a></li><li id="n-mw-download" class="mw-list-item"><a href="/wiki/Download"><span>Get MediaWiki</span></a></li><li id="n-mw-extensions" class="mw-list-item"><a href="/wiki/Special:MyLanguage/Category:Extensions"><span>Get extensions</span></a></li><li id="n-blog-text" class="mw-list-item"><a href="https://techblog.wikimedia.org/"><span>Tech blog</span></a></li><li id="n-mw-contribute" class="mw-list-item"><a href="/wiki/Special:MyLanguage/How_to_contribute"><span>Contribute</span></a></li> </ul> </div> </div> <div id="p-support" class="vector-menu mw-portlet mw-portlet-support" > <div class="vector-menu-heading"> Support </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-help" class="mw-list-item"><a href="/wiki/Special:MyLanguage/Help:Contents" title="The place to find out"><span>User help</span></a></li><li id="n-mw-faq" class="mw-list-item"><a href="/wiki/Special:MyLanguage/Manual:FAQ"><span>FAQ</span></a></li><li id="n-mw-manual" class="mw-list-item"><a href="/wiki/Special:MyLanguage/Manual:Contents"><span>Technical manual</span></a></li><li id="n-mw-supportdesk" class="mw-list-item"><a href="/wiki/Project:Support_desk"><span>Support desk</span></a></li><li id="n-mw-communication" class="mw-list-item"><a href="/wiki/Special:MyLanguage/Communication"><span>Communication</span></a></li> </ul> </div> </div> <div id="p-development" class="vector-menu mw-portlet mw-portlet-development" > <div class="vector-menu-heading"> Development </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mw-developerportal" class="mw-list-item"><a href="https://developer.wikimedia.org/"><span>Developer portal</span></a></li><li id="n-svn-statistics" class="mw-list-item"><a href="/wiki/Development_statistics"><span>Code statistics</span></a></li> </ul> </div> </div> <div id="p-mediawiki.org" class="vector-menu mw-portlet mw-portlet-mediawiki_org" > <div class="vector-menu-heading"> mediawiki.org </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-portal" class="mw-list-item"><a href="/wiki/Project:Help" title="About the project, what you can do, where to find things"><span>Community portal</span></a></li><li id="n-recentchanges" class="mw-list-item"><a href="/wiki/Special:RecentChanges" title="A list of recent changes in the wiki [r]" accesskey="r"><span>Recent changes</span></a></li><li id="n-mw-translate" class="mw-list-item"><a href="/wiki/Special:LanguageStats"><span>Translate content</span></a></li><li id="n-randompage" class="mw-list-item"><a href="/wiki/Special:Random" title="Load a random page [x]" accesskey="x"><span>Random page</span></a></li><li id="n-mw-discussion" class="mw-list-item"><a href="/wiki/Project:Village_Pump"><span>Village pump</span></a></li><li id="n-Sandboxlink-portlet-label" class="mw-list-item"><a href="/wiki/Project:Sandbox"><span>Sandbox</span></a></li> </ul> </div> </div> <div id="p-lang" class="vector-menu mw-portlet mw-portlet-lang" > <div class="vector-menu-heading"> In other languages </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> <div class="after-portlet after-portlet-lang"><span class="wb-langlinks-add wb-langlinks-link"><a href="https://www.wikidata.org/wiki/Special:NewItem?site=mediawikiwiki&page=Security+for+developers" title="Add interlanguage links" class="wbc-editpage">Add links</a></span></div> </div> </div> </div> </div> </div> </div> </nav> <a href="/wiki/MediaWiki" class="mw-logo"> <img class="mw-logo-icon" src="/static/images/icons/mediawikiwiki.svg" alt="" aria-hidden="true" height="50" width="50"> <span class="mw-logo-container skin-invert"> <img class="mw-logo-wordmark" alt="MediaWiki" src="/static/images/mobile/copyright/mediawikiwiki-wordmark.svg" style="width: 7.5em; height: 1.125em;"> </span> </a> </div> <div class="vector-header-end"> <div id="p-search" role="search" class="vector-search-box-vue vector-search-box-collapses vector-search-box-show-thumbnail vector-search-box-auto-expand-width vector-search-box"> <a href="/wiki/Special:Search" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only search-toggle" title="Search MediaWiki [f]" accesskey="f"><span class="vector-icon mw-ui-icon-search mw-ui-icon-wikimedia-search"></span> <span>Search</span> </a> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail cdx-typeahead-search--auto-expand-width"> <form action="/w/index.php" id="searchform" class="cdx-search-input cdx-search-input--has-end-button"> <div id="simpleSearch" class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search MediaWiki" aria-label="Search MediaWiki" autocapitalize="sentences" title="Search MediaWiki [f]" accesskey="f" id="searchInput" > <span class="cdx-text-input__icon cdx-text-input__start-icon"></span> </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <nav class="vector-user-links vector-user-links-wide" aria-label="Personal tools"> <div class="vector-user-links-main"> <div id="p-vector-user-menu-preferences" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-uls" class="mw-list-item active user-links-collapsible-item"><a data-mw="interface" href="#" class="uls-trigger cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet"><span class="vector-icon mw-ui-icon-wikimedia-language mw-ui-icon-wikimedia-wikimedia-language"></span> <span>English</span></a> </li> </ul> </div> </div> <div id="p-vector-user-menu-userpage" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-dropdown" class="vector-dropdown " title="Change the appearance of the page's font size, width, and color" > <input type="checkbox" id="vector-appearance-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-appearance-dropdown" class="vector-dropdown-checkbox " aria-label="Appearance" > <label id="vector-appearance-dropdown-label" for="vector-appearance-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-appearance mw-ui-icon-wikimedia-appearance"></span> <span class="vector-dropdown-label-text">Appearance</span> </label> <div class="vector-dropdown-content"> <div id="vector-appearance-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div id="p-vector-user-menu-notifications" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-overflow" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="https://donate.wikimedia.org/?wmf_source=donate&wmf_medium=sidebar&wmf_campaign=www.mediawiki.org&uselang=en" class=""><span>Donate</span></a> </li> <li id="pt-createaccount-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:CreateAccount&returnto=Security+for+developers" title="You are encouraged to create an account and log in; however, it is not mandatory" class=""><span>Create account</span></a> </li> <li id="pt-login-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:UserLogin&returnto=Security+for+developers" title="You are encouraged to log in; however, it is not mandatory [o]" accesskey="o" class=""><span>Log in</span></a> </li> </ul> </div> </div> </div> <div id="vector-user-links-dropdown" class="vector-dropdown vector-user-menu vector-button-flush-right vector-user-menu-logged-out" title="More options" > <input type="checkbox" id="vector-user-links-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-user-links-dropdown" class="vector-dropdown-checkbox " aria-label="Personal tools" > <label id="vector-user-links-dropdown-label" for="vector-user-links-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-ellipsis mw-ui-icon-wikimedia-ellipsis"></span> <span class="vector-dropdown-label-text">Personal tools</span> </label> <div class="vector-dropdown-content"> <div id="p-personal" class="vector-menu mw-portlet mw-portlet-personal user-links-collapsible-item" title="User menu" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport" class="user-links-collapsible-item mw-list-item"><a href="https://donate.wikimedia.org/?wmf_source=donate&wmf_medium=sidebar&wmf_campaign=www.mediawiki.org&uselang=en"><span>Donate</span></a></li><li id="pt-createaccount" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:CreateAccount&returnto=Security+for+developers" title="You are encouraged to create an account and log in; however, it is not mandatory"><span class="vector-icon mw-ui-icon-userAdd mw-ui-icon-wikimedia-userAdd"></span> <span>Create account</span></a></li><li id="pt-login" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:UserLogin&returnto=Security+for+developers" title="You are encouraged to log in; however, it is not mandatory [o]" accesskey="o"><span class="vector-icon mw-ui-icon-logIn mw-ui-icon-wikimedia-logIn"></span> <span>Log in</span></a></li> </ul> </div> </div> <div id="p-user-menu-anon-editor" class="vector-menu mw-portlet mw-portlet-user-menu-anon-editor" > <div class="vector-menu-heading"> Pages for logged out editors <a href="/wiki/Help:Introduction" aria-label="Learn more about editing"><span>learn more</span></a> </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-anoncontribs" class="mw-list-item"><a href="/wiki/Special:MyContributions" title="A list of edits made from this IP address [y]" accesskey="y"><span>Contributions</span></a></li><li id="pt-anontalk" class="mw-list-item"><a href="/wiki/Special:MyTalk" title="Discussion about edits from this IP address [n]" accesskey="n"><span>Talk</span></a></li> </ul> </div> </div> </div> </div> </nav> </div> </header> </div> <div class="mw-page-container"> <div class="mw-page-container-inner"> <div class="vector-sitenotice-container"> <div id="siteNotice"></div> </div> <div class="vector-column-start"> <div class="vector-main-menu-container"> <div id="mw-navigation"> <nav id="mw-panel" class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-pinned-container" class="vector-pinned-container"> </div> </nav> </div> </div> <div class="vector-sticky-pinned-container"> <nav id="mw-panel-toc" aria-label="Contents" data-event-name="ui.sidebar-toc" class="mw-table-of-contents-container vector-toc-landmark"> <div id="vector-toc-pinned-container" class="vector-pinned-container"> <div id="vector-toc" class="vector-toc vector-pinnable-element"> <div class="vector-pinnable-header vector-toc-pinnable-header vector-pinnable-header-pinned" data-feature-name="toc-pinned" data-pinnable-element-id="vector-toc" > <h2 class="vector-pinnable-header-label">Contents</h2> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-toc.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-toc.unpin">hide</button> </div> <ul class="vector-toc-contents" id="mw-panel-toc-list"> <li id="toc-mw-content-text" class="vector-toc-list-item vector-toc-level-1"> <a href="#" class="vector-toc-link"> <div class="vector-toc-text">Beginning</div> </a> </li> <li id="toc-Why_security_matters" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Why_security_matters"> <div class="vector-toc-text"> <span class="vector-toc-numb">1</span> <span>Why security matters</span> </div> </a> <ul id="toc-Why_security_matters-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Demonstrable_security" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Demonstrable_security"> <div class="vector-toc-text"> <span class="vector-toc-numb">2</span> <span>Demonstrable security</span> </div> </a> <ul id="toc-Demonstrable_security-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Overview_of_security_vulnerabilities_and_attacks" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Overview_of_security_vulnerabilities_and_attacks"> <div class="vector-toc-text"> <span class="vector-toc-numb">3</span> <span>Overview of security vulnerabilities and attacks</span> </div> </a> <button aria-controls="toc-Overview_of_security_vulnerabilities_and_attacks-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Overview of security vulnerabilities and attacks subsection</span> </button> <ul id="toc-Overview_of_security_vulnerabilities_and_attacks-sublist" class="vector-toc-list"> <li id="toc-Cross-site_scripting_(XSS)" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Cross-site_scripting_(XSS)"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.1</span> <span>Cross-site scripting (XSS)</span> </div> </a> <ul id="toc-Cross-site_scripting_(XSS)-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Cross-site_request_forgery_(CSRF)" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Cross-site_request_forgery_(CSRF)"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.2</span> <span>Cross-site request forgery (CSRF)</span> </div> </a> <ul id="toc-Cross-site_request_forgery_(CSRF)-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-SQL_injection" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#SQL_injection"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.3</span> <span>SQL injection</span> </div> </a> <ul id="toc-SQL_injection-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-serialize()_/_unserialize()" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#serialize()_/_unserialize()"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.4</span> <span>serialize() / unserialize()</span> </div> </a> <ul id="toc-serialize()_/_unserialize()-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Historical" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Historical"> <div class="vector-toc-text"> <span class="vector-toc-numb">3.5</span> <span>Historical</span> </div> </a> <ul id="toc-Historical-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-See_also" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#See_also"> <div class="vector-toc-text"> <span class="vector-toc-numb">4</span> <span>See also</span> </div> </a> <ul id="toc-See_also-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Subpages" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Subpages"> <div class="vector-toc-text"> <span class="vector-toc-numb">5</span> <span>Subpages</span> </div> </a> <ul id="toc-Subpages-sublist" class="vector-toc-list"> </ul> </li> </ul> </div> </div> </nav> </div> </div> <div class="mw-content-container"> <main id="content" class="mw-body"> <header class="mw-body-header vector-page-titlebar"> <nav aria-label="Contents" class="vector-toc-landmark"> <div id="vector-page-titlebar-toc" class="vector-dropdown vector-page-titlebar-toc vector-button-flush-left" > <input type="checkbox" id="vector-page-titlebar-toc-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-titlebar-toc" class="vector-dropdown-checkbox " aria-label="Toggle the table of contents" > <label id="vector-page-titlebar-toc-label" for="vector-page-titlebar-toc-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-listBullet mw-ui-icon-wikimedia-listBullet"></span> <span class="vector-dropdown-label-text">Toggle the table of contents</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-titlebar-toc-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <h1 id="firstHeading" class="firstHeading mw-first-heading"><span class="mw-page-title-main">Security for developers</span></h1> <div class="mw-indicators"> </div> </header> <div class="vector-page-toolbar"> <div class="vector-page-toolbar-container"> <div id="left-navigation"> <nav aria-label="Namespaces"> <div id="p-associated-pages" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-associated-pages" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-nstab-main" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Security_for_developers" title="View the content page [c]" accesskey="c"><span>Page</span></a></li><li id="ca-talk" class="vector-tab-noicon mw-list-item"><a href="/wiki/Talk:Security_for_developers" rel="discussion" title="Discussion about the content page [t]" accesskey="t"><span>Discussion</span></a></li> </ul> </div> </div> <div id="vector-variants-dropdown" class="vector-dropdown emptyPortlet" > <input type="checkbox" id="vector-variants-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-variants-dropdown" class="vector-dropdown-checkbox " aria-label="Change language variant" > <label id="vector-variants-dropdown-label" for="vector-variants-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">English</span> </label> <div class="vector-dropdown-content"> <div id="p-variants" class="vector-menu mw-portlet mw-portlet-variants emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </nav> </div> <div id="right-navigation" class="vector-collapsible"> <nav aria-label="Views"> <div id="p-views" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-views" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-view" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Security_for_developers"><span>Read</span></a></li><li id="ca-edit" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Security_for_developers&action=edit" title="Edit the source code of this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-history" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Security_for_developers&action=history" title="Past revisions of this page [h]" accesskey="h"><span>View history</span></a></li> </ul> </div> </div> </nav> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-dropdown" class="vector-dropdown vector-page-tools-dropdown" > <input type="checkbox" id="vector-page-tools-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-tools-dropdown" class="vector-dropdown-checkbox " aria-label="Tools" > <label id="vector-page-tools-dropdown-label" for="vector-page-tools-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">Tools</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-tools-unpinned-container" class="vector-unpinned-container"> <div id="vector-page-tools" class="vector-page-tools vector-pinnable-element"> <div class="vector-pinnable-header vector-page-tools-pinnable-header vector-pinnable-header-unpinned" data-feature-name="page-tools-pinned" data-pinnable-element-id="vector-page-tools" data-pinned-container-id="vector-page-tools-pinned-container" data-unpinned-container-id="vector-page-tools-unpinned-container" > <div class="vector-pinnable-header-label">Tools</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-page-tools.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-page-tools.unpin">hide</button> </div> <div id="p-cactions" class="vector-menu mw-portlet mw-portlet-cactions emptyPortlet vector-has-collapsible-items" title="More options" > <div class="vector-menu-heading"> Actions </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-more-view" class="selected vector-more-collapsible-item mw-list-item"><a href="/wiki/Security_for_developers"><span>Read</span></a></li><li id="ca-more-edit" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Security_for_developers&action=edit" title="Edit the source code of this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-more-history" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Security_for_developers&action=history"><span>View history</span></a></li> </ul> </div> </div> <div id="p-tb" class="vector-menu mw-portlet mw-portlet-tb" > <div class="vector-menu-heading"> General </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-whatlinkshere" class="mw-list-item"><a href="/wiki/Special:WhatLinksHere/Security_for_developers" title="A list of all wiki pages that link here [j]" accesskey="j"><span>What links here</span></a></li><li id="t-recentchangeslinked" class="mw-list-item"><a href="/wiki/Special:RecentChangesLinked/Security_for_developers" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k"><span>Related changes</span></a></li><li id="t-upload" class="mw-list-item"><a href="//commons.wikimedia.org/wiki/Special:UploadWizard" title="Upload files [u]" accesskey="u"><span>Upload file</span></a></li><li id="t-specialpages" class="mw-list-item"><a href="/wiki/Special:SpecialPages" title="A list of all special pages [q]" accesskey="q"><span>Special pages</span></a></li><li id="t-permalink" class="mw-list-item"><a href="/w/index.php?title=Security_for_developers&oldid=6603658" title="Permanent link to this revision of this page"><span>Permanent link</span></a></li><li id="t-info" class="mw-list-item"><a href="/w/index.php?title=Security_for_developers&action=info" title="More information about this page"><span>Page information</span></a></li><li id="t-cite" class="mw-list-item"><a href="/w/index.php?title=Special:CiteThisPage&page=Security_for_developers&id=6603658&wpFormIdentifier=titleform" title="Information on how to cite this page"><span>Cite this page</span></a></li><li id="t-urlshortener" class="mw-list-item"><a href="/w/index.php?title=Special:UrlShortener&url=https%3A%2F%2Fwww.mediawiki.org%2Fwiki%2FSecurity_for_developers"><span>Get shortened URL</span></a></li><li id="t-urlshortener-qrcode" class="mw-list-item"><a href="/w/index.php?title=Special:QrCode&url=https%3A%2F%2Fwww.mediawiki.org%2Fwiki%2FSecurity_for_developers"><span>Download QR code</span></a></li> </ul> </div> </div> <div id="p-coll-print_export" class="vector-menu mw-portlet mw-portlet-coll-print_export" > <div class="vector-menu-heading"> Print/export </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="coll-create_a_book" class="mw-list-item"><a href="/w/index.php?title=Special:Book&bookcmd=book_creator&referer=Security+for+developers"><span>Create a book</span></a></li><li id="coll-download-as-rl" class="mw-list-item"><a href="/w/index.php?title=Special:DownloadAsPdf&page=Security_for_developers&action=show-download-screen"><span>Download as PDF</span></a></li><li id="t-print" class="mw-list-item"><a href="/w/index.php?title=Security_for_developers&printable=yes" title="Printable version of this page [p]" accesskey="p"><span>Printable version</span></a></li> </ul> </div> </div> <div id="p-wikibase-otherprojects" class="vector-menu mw-portlet mw-portlet-wikibase-otherprojects emptyPortlet" > <div class="vector-menu-heading"> In other projects </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </div> </div> </nav> </div> </div> </div> <div class="vector-column-end"> <div class="vector-sticky-pinned-container"> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-pinned-container" class="vector-pinned-container"> </div> </nav> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-pinned-container" class="vector-pinned-container"> <div id="vector-appearance" class="vector-appearance vector-pinnable-element"> <div class="vector-pinnable-header vector-appearance-pinnable-header vector-pinnable-header-pinned" data-feature-name="appearance-pinned" data-pinnable-element-id="vector-appearance" data-pinned-container-id="vector-appearance-pinned-container" data-unpinned-container-id="vector-appearance-unpinned-container" > <div class="vector-pinnable-header-label">Appearance</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-appearance.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-appearance.unpin">hide</button> </div> </div> </div> </nav> </div> </div> <div id="bodyContent" class="vector-body" aria-labelledby="firstHeading" data-mw-ve-target-container> <div class="vector-body-before-content"> <div id="siteSub" class="noprint">From mediawiki.org</div> </div> <div id="contentSub"><div id="mw-content-subtitle"></div></div> <div id="mw-content-text" class="mw-body-content"><div class="mw-pt-translate-header noprint nomobile" dir="ltr" lang="en"><a href="/w/index.php?title=Special:Translate&group=page-Security+for+developers&action=page&filter=&action_source=translate_page" title="Special:Translate">Translate this page</a></div><div class="mw-content-ltr mw-parser-output" lang="en" dir="ltr"><div class="mw-pt-languages noprint navigation-not-searchable" lang="en" dir="ltr"><div class="mw-pt-languages-label">Languages:</div><ul class="mw-pt-languages-list"><li><a href="/wiki/Security_for_developers/de" class="mw-pt-progress mw-pt-progress--low" title="Sicherheit für Entwickler (6% translated)" lang="de" dir="ltr">Deutsch</a></li> <li><span class="mw-pt-languages-ui mw-pt-languages-selected mw-pt-progress mw-pt-progress--complete" lang="en" dir="ltr">English</span></li> <li><a href="/wiki/Security_for_developers/es" class="mw-pt-progress mw-pt-progress--low" title="Seguridad para desarrolladores (1% translated)" lang="es" dir="ltr">español</a></li> <li><a href="/wiki/Security_for_developers/fr" class="mw-pt-progress mw-pt-progress--complete" title="Sécurité pour les développeurs (100% translated)" lang="fr" dir="ltr">français</a></li> <li><a href="/wiki/Security_for_developers/cs" class="mw-pt-progress mw-pt-progress--complete" title="Bezpečnost pro vývojáře (100% translated)" lang="cs" dir="ltr">čeština</a></li> <li><a href="/wiki/Security_for_developers/ru" class="mw-pt-progress mw-pt-progress--low" title="Безопасность для разработчиков (3% translated)" lang="ru" dir="ltr">русский</a></li> <li><a href="/wiki/Security_for_developers/bn" class="mw-pt-progress mw-pt-progress--low" title="বিকাশকারীদের জন্য সুরক্ষা (1% translated)" lang="bn" dir="ltr">বাংলা</a></li> <li><a href="/wiki/Security_for_developers/gu" class="mw-pt-progress mw-pt-progress--low" title="Security for developers/gu (1% translated)" lang="gu" dir="ltr">ગુજરાતી</a></li> <li><a href="/wiki/Security_for_developers/zh" class="mw-pt-progress mw-pt-progress--low" title="Security for developers/zh (12% translated)" lang="zh" dir="ltr">中文</a></li> <li><a href="/wiki/Security_for_developers/ja" class="mw-pt-progress mw-pt-progress--high" title="開発者向けセキュリティ (96% translated)" lang="ja" dir="ltr">日本語</a></li> <li><a href="/wiki/Security_for_developers/nan" class="mw-pt-progress mw-pt-progress--low" title="Khai-huat-tsiá an-tsuân (4% translated)" lang="nan" dir="ltr">閩南語 / Bân-lâm-gú</a></li></ul></div> <style data-mw-deduplicate="TemplateStyles:r6870138">.mw-parser-output table.ambox{margin:0 10%;width:unset;border:1px solid var(--border-color-base,#a2a9b1);border-left:10px solid var(--border-color-progressive,#36c);background-color:var(--background-color-neutral-subtle,#f8f9fa);box-sizing:border-box}.mw-parser-output table.ambox+table.ambox,.mw-parser-output table.ambox+link+table.ambox,.mw-parser-output table.ambox+style+table.ambox{margin-top:-1px}.mw-parser-output .ambox td.mbox-empty-cell{border:none;padding:0;width:1px}.mw-parser-output .ambox th.mbox-text,.mw-parser-output .ambox td.mbox-text{border:none;padding:0.25em 0.5em;width:100%}.mw-parser-output .ambox td.mbox-image{padding:2px 0 2px 0.5em}.mw-parser-output .ambox td.mbox-imageright{padding:2px 0.5em 2px 0}.mw-parser-output table.ambox-notice{border-left-color:var(--border-color-progressive,#36c)}.mw-parser-output table.ambox-speedy{background-color:var(--background-color-error-subtle,#fee7e6)}.mw-parser-output table.ambox-delete,.mw-parser-output table.ambox-speedy{border-left-color:var(--background-color-error--active,#b32424)}.mw-parser-output table.ambox-content{border-left-color:#f28500}.mw-parser-output table.ambox-style{border-left-color:#fc3}.mw-parser-output table.ambox-move{border-left-color:#9932cc}.mw-parser-output table.ambox-protection{border-left-color:var(--border-color-base,#a2a9b1)}html body.mediawiki .mw-parser-output .ambox.mbox-small{clear:right;float:right;margin:4px 0 4px 1em;box-sizing:border-box;width:238px;font-size:88%;line-height:1.25em}html body.mediawiki .mw-parser-output .ambox.mbox-small-left{margin:4px 1em 4px 0;box-sizing:border-box;overflow:hidden;width:238px;border-collapse:collapse;font-size:88%;line-height:1.25em}</style><table class="ambox ambox-notice plainlinks metadata" role="presentation"><tbody><tr><td class="mbox-image"><div style="width:52px"><span typeof="mw:File"><span><img src="//upload.wikimedia.org/wikipedia/commons/thumb/f/f6/OOjs_UI_icon_check-constructive.svg/30px-OOjs_UI_icon_check-constructive.svg.png" decoding="async" width="30" height="30" class="mw-file-element" srcset="//upload.wikimedia.org/wikipedia/commons/thumb/f/f6/OOjs_UI_icon_check-constructive.svg/45px-OOjs_UI_icon_check-constructive.svg.png 1.5x, //upload.wikimedia.org/wikipedia/commons/thumb/f/f6/OOjs_UI_icon_check-constructive.svg/60px-OOjs_UI_icon_check-constructive.svg.png 2x" data-file-width="20" data-file-height="20"/></span></span></div></td><td class="mbox-text"><div class="mbox-text-span">This page documents a MediaWiki <a href="/wiki/Special:MyLanguage/Development_guidelines" title="Special:MyLanguage/Development guidelines">development guideline</a>, crafted over time by developer consensus (or sometimes by proclamation from a lead developer)</div></td></tr></tbody></table> <figure typeof="mw:File/Thumb"><span><video id="mwe_player_0" poster="//upload.wikimedia.org/wikipedia/commons/thumb/6/69/MediaWiki_Security.ogv/300px--MediaWiki_Security.ogv.jpg" controls="" preload="none" data-mw-tmh="" class="mw-file-element" width="300" height="169" data-durationhint="1444" data-mwtitle="MediaWiki_Security.ogv" data-mwprovider="wikimediacommons" resource="/wiki/File:MediaWiki_Security.ogv"><source src="//upload.wikimedia.org/wikipedia/commons/transcoded/6/69/MediaWiki_Security.ogv/MediaWiki_Security.ogv.480p.vp9.webm" type="video/webm; codecs="vp9, opus"" data-transcodekey="480p.vp9.webm" data-width="854" data-height="480"/><source src="//upload.wikimedia.org/wikipedia/commons/transcoded/6/69/MediaWiki_Security.ogv/MediaWiki_Security.ogv.720p.vp9.webm" type="video/webm; codecs="vp9, opus"" data-transcodekey="720p.vp9.webm" data-width="1280" data-height="720"/><source src="//upload.wikimedia.org/wikipedia/commons/transcoded/6/69/MediaWiki_Security.ogv/MediaWiki_Security.ogv.1080p.vp9.webm" type="video/webm; codecs="vp9, opus"" data-transcodekey="1080p.vp9.webm" data-width="1920" data-height="1080"/><source src="//upload.wikimedia.org/wikipedia/commons/6/69/MediaWiki_Security.ogv" type="video/ogg; codecs="theora, vorbis"" data-width="1920" data-height="1080"/><source src="//upload.wikimedia.org/wikipedia/commons/transcoded/6/69/MediaWiki_Security.ogv/MediaWiki_Security.ogv.240p.vp9.webm" type="video/webm; codecs="vp9, opus"" data-transcodekey="240p.vp9.webm" data-width="426" data-height="240"/><source src="//upload.wikimedia.org/wikipedia/commons/transcoded/6/69/MediaWiki_Security.ogv/MediaWiki_Security.ogv.360p.vp9.webm" type="video/webm; codecs="vp9, opus"" data-transcodekey="360p.vp9.webm" data-width="640" data-height="360"/><source src="//upload.wikimedia.org/wikipedia/commons/transcoded/6/69/MediaWiki_Security.ogv/MediaWiki_Security.ogv.360p.webm" type="video/webm; codecs="vp8, vorbis"" data-transcodekey="360p.webm" data-width="640" data-height="360"/></video></span><figcaption>Presentation by Wikimedia Foundation Security Engineer Chris Steipp from the <a href="/wiki/Special:MyLanguage/Wikimedia_Engineering/WMF_Tech_Days_2012" title="Special:MyLanguage/Wikimedia Engineering/WMF Tech Days 2012">WMF Tech Days 2012</a></figcaption></figure> <p><b>As a MediaWiki developer, you have a responsibility to write secure code in a style that is easy to review and audit.</b> This article focuses on the issues related to security and on the best practices used by MediaWiki developers to address these security issues. For issues of coding style, please read the MediaWiki <a href="/wiki/Special:MyLanguage/Manual:coding_conventions" title="Special:MyLanguage/Manual:coding conventions">coding conventions</a>. </p><p><b>Every MediaWiki developer</b> should carefully read this article, regardless of their level of experience in web application development and with PHP, and periodically re-familiarise themselves with this material. Additionally, every developer should carefully read the articles on <a href="/wiki/Special:MyLanguage/Cross-site_scripting" title="Special:MyLanguage/Cross-site scripting">Cross-site scripting (XSS)</a>, <a href="/wiki/Special:MyLanguage/Cross-site_request_forgery" title="Special:MyLanguage/Cross-site request forgery">Cross-site request forgery (CSRF)</a>, and <a href="/wiki/Special:MyLanguage/SQL_injection" title="Special:MyLanguage/SQL injection">SQL injection</a><span style="display:none"><a href="/wiki/SQL_injection" title="SQL injection"> </a></span>, which each provide more detailed explanations of each of these common vulnerability types. The <a href="/wiki/Special:MyLanguage/security_checklist_for_developers" title="Special:MyLanguage/security checklist for developers">Security checklist for developers</a><span style="display:none"><a href="/wiki/Security_checklist_for_developers" title="Security checklist for developers"> </a></span> provides a useful reference for common development tasks. </p> <meta property="mw:PageProp/toc"/> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="Why_security_matters" data-mw-thread-id="h-Why_security_matters"><span data-mw-comment-start="" id="h-Why_security_matters"></span>Why security matters<span data-mw-comment-end="h-Why_security_matters"></span></h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Security_for_developers&action=edit&section=1" title="Edit section: Why security matters"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Web application security is a critical issue in the wired world. Websites with security vulnerabilities are a key part of the illicit global infrastructure of malware, spam and phishing. <a href="https://en.wikipedia.org/wiki/Bot_herder" class="extiw" title="w:Bot herder"> Bot herders</a> crawl the web looking for websites with security vulnerabilities, and then use the vulnerabilities to hijack them. The hijacked website will distribute malware (viruses) to visitors, either via browser vulnerabilities or overtly by social engineering. The downloaded malware turns the client's computer into a "zombie" that is part of a global network of organised crime aimed at stealing bank account details, sending spam, and extorting money from websites with denial-of-service threats. </p> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="Demonstrable_security" data-mw-thread-id="h-Demonstrable_security"><span data-mw-comment-start="" id="h-Demonstrable_security"></span>Demonstrable security<span data-mw-comment-end="h-Demonstrable_security"></span></h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Security_for_developers&action=edit&section=2" title="Edit section: Demonstrable security"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>It's not enough to assure yourself that you are perfect and that your code has no security vulnerabilities. Everyone makes mistakes. All MediaWiki core code, and a good deal of MediaWiki extensions code, is reviewed by experienced developers to verify its security. This is a good practice and should be encouraged. </p><p>Write code in such a way that it is <b>demonstrably secure</b>, such that a reviewer can more easily tell that it's secure. Don't write code that looks suspicious but is, on careful examination, secure. Such code causes unnecessary <b>reviewer anxiety</b>. </p> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="Overview_of_security_vulnerabilities_and_attacks" data-mw-thread-id="h-Overview_of_security_vulnerabilities_and_attacks"><span data-mw-comment-start="" id="h-Overview_of_security_vulnerabilities_and_attacks"></span>Overview of security vulnerabilities and attacks<span data-mw-comment-end="h-Overview_of_security_vulnerabilities_and_attacks"></span></h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Security_for_developers&action=edit&section=3" title="Edit section: Overview of security vulnerabilities and attacks"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>This document has a strong focus on the following attacks and security risks. Each MediaWiki developer should be familiar with these issues and have at least a passing understanding of them. </p> <div class="mw-heading mw-heading3"><h3 id="Cross-site_scripting_(XSS)" data-mw-thread-id="h-Cross-site_scripting_(XSS)-Overview_of_security_vulnerabilities_and_attacks"><span id="Cross-site_scripting_.28XSS.29"></span><span data-mw-comment-start="" id="h-Cross-site_scripting_(XSS)-Overview_of_security_vulnerabilities_and_attacks"></span>Cross-site scripting (XSS)<span data-mw-comment-end="h-Cross-site_scripting_(XSS)-Overview_of_security_vulnerabilities_and_attacks"></span></h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Security_for_developers&action=edit&section=4" title="Edit section: Cross-site scripting (XSS)"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p><i>For detailed information on avoiding XSS vulnerabilities in MediaWiki, read the <a href="/wiki/Special:MyLanguage/Cross-site_scripting" title="Special:MyLanguage/Cross-site scripting">Cross-site scripting</a> article.</i> Cross-site scripting (XSS) vulnerabilities allow an attacker to inject malicious code into a website. XSS vulnerabilities are caused by a web application not properly escaping data from external sources (such as GET data, POST data, RSS feeds or URLs). The range of attacks that can be made via XSS are very diverse, ranging from harmless pranks to the hijacking of an authenticated user's account. </p><p><b>Primary defenses</b>: To avoid XSS attacks, the basic principles are: </p> <ul><li>Validate your input</li> <li>Escape your output</li></ul> <p>You can skip validation, but you can never skip escaping. Escape everything. Escape as close to the output as possible, so that the reviewer can easily verify that it was done. </p><p>Note that output encoding (escaping) is context sensitive. So be aware of the intended output context and encode appropriately (e.g. HTML entity, URL, JavaScript, etc.) </p><p>The <a rel="nofollow" class="external text" href="https://wiki.owasp.org/index.php/OWASP_Cheat_Sheet_Series">OWASP Abridged XSS Prevention Cheat Sheet</a> is a useful and up to date quick reference guide for mitigating XSS issues. </p><p>If you are writing JavaScript, please ensure that you understand <a href="/wiki/Special:MyLanguage/DOM-based_XSS" title="Special:MyLanguage/DOM-based XSS">DOM-based XSS</a>, and how to prevent it in your code. </p> <div class="mw-heading mw-heading3"><h3 id="Cross-site_request_forgery_(CSRF)" data-mw-thread-id="h-Cross-site_request_forgery_(CSRF)-Overview_of_security_vulnerabilities_and_attacks"><span id="Cross-site_request_forgery_.28CSRF.29"></span><span data-mw-comment-start="" id="h-Cross-site_request_forgery_(CSRF)-Overview_of_security_vulnerabilities_and_attacks"></span>Cross-site request forgery (CSRF)<span data-mw-comment-end="h-Cross-site_request_forgery_(CSRF)-Overview_of_security_vulnerabilities_and_attacks"></span></h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Security_for_developers&action=edit&section=5" title="Edit section: Cross-site request forgery (CSRF)"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p><i>For detailed information on avoiding CSRF vulnerabilities in MediaWiki, read the <a href="/wiki/Special:MyLanguage/Cross-site_request_forgery" title="Special:MyLanguage/Cross-site request forgery">Cross-site request forgery</a><span style="display:none"><a href="/wiki/Cross-site_request_forgery" title="Cross-site request forgery"> </a></span> article.</i> Cross-site request forgery (CSRF or XSRF) attacks use authentication credentials cached in a victim's browser (such as a cookie or cached username and password) to authorise malicious HTTP requests. The malicious HTTP request can be sent in many ways. As long as the requests are processed by a web browser that has cached authentication credentials, a CSRF attack can be attempted. </p><p><b>Primary defenses</b>: Our primary defense mechanism against CSRF attacks is to add <a href="/wiki/Special:MyLanguage/Manual:Edit_token" title="Special:MyLanguage/Manual:Edit token">edit tokens</a> to HTML forms. </p> <div class="mw-heading mw-heading3"><h3 id="SQL_injection" data-mw-thread-id="h-SQL_injection-Overview_of_security_vulnerabilities_and_attacks"><span data-mw-comment-start="" id="h-SQL_injection-Overview_of_security_vulnerabilities_and_attacks"></span>SQL injection<span data-mw-comment-end="h-SQL_injection-Overview_of_security_vulnerabilities_and_attacks"></span></h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Security_for_developers&action=edit&section=6" title="Edit section: SQL injection"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p><i>For detailed information on avoiding SQL injection, read the <a href="/wiki/SQL_injection" title="SQL injection">SQL injection</a> article.</i> </p><p>SQL injection relies on poorly validated input being used in a database query, possibly allowing an attacker to run arbitrary SQL queries on your server. The attacker may then be able to fetch private data, destroy data or cause other unintended responses. In the worst case, the injected code could allow the attacker to gain full control of the system by exploiting multiple vulnerabilities in the database server, system utilities and operating system. </p><p><b>Primary defenses</b>: The primary defense against SQL injection is to use <a href="/wiki/Special:MyLanguage/Manual:Database_access" title="Special:MyLanguage/Manual:Database access">MediaWiki's built-in database functions</a>. Avoid using direct SQL queries at all costs. </p> <div class="mw-heading mw-heading3"><h3 id="serialize()_/_unserialize()" data-mw-thread-id="h-serialize()_/_unserialize()-Overview_of_security_vulnerabilities_and_attacks"><span id="serialize.28.29_.2F_unserialize.28.29"></span><span data-mw-comment-start="" id="h-serialize()_/_unserialize()-Overview_of_security_vulnerabilities_and_attacks"></span><code>serialize()</code> / <code>unserialize()</code><span data-mw-comment-end="h-serialize()_/_unserialize()-Overview_of_security_vulnerabilities_and_attacks"></span></h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Security_for_developers&action=edit&section=7" title="Edit section: serialize() / unserialize()"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p><code>unserialize()</code> can lead to arbitrary code execution. To prevent this MediaWiki developers should always use json instead of php serialisation in new code. </p><p><b>Primary defenses</b>: Use <code class="mw-highlight mw-highlight-lang-php mw-content-ltr" style="" dir="ltr"><span class="nx">FormatJson</span><span class="o">::</span><span class="na">encode</span><span class="p">()</span></code> and <code class="mw-highlight mw-highlight-lang-php mw-content-ltr" style="" dir="ltr"><span class="nx">FormatJson</span><span class="o">::</span><span class="na">decode</span><span class="p">()</span></code> instead of PHP's native serialisation. </p> <div class="mw-heading mw-heading3"><h3 id="Historical" data-mw-thread-id="h-Historical-Overview_of_security_vulnerabilities_and_attacks"><span data-mw-comment-start="" id="h-Historical-Overview_of_security_vulnerabilities_and_attacks"></span>Historical<span data-mw-comment-end="h-Historical-Overview_of_security_vulnerabilities_and_attacks"></span></h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Security_for_developers&action=edit&section=8" title="Edit section: Historical"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/Register_globals" title="Register globals">register_globals</a>, has not been an issue since <a href="/wiki/Special:MyLanguage/MediaWiki_1.24" title="Special:MyLanguage/MediaWiki 1.24">MediaWiki 1.24</a><span style="display:none"><a href="/wiki/MediaWiki_1.24" title="MediaWiki 1.24"> </a></span>+.</li></ul> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="See_also" data-mw-thread-id="h-See_also"><span data-mw-comment-start="" id="h-See_also"></span>See also<span data-mw-comment-end="h-See_also"></span></h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Security_for_developers&action=edit&section=9" title="Edit section: See also"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/Special:MyLanguage/Security_checklist_for_developers" title="Special:MyLanguage/Security checklist for developers">Security checklist for developers</a><span style="display:none"><a href="/wiki/Security_checklist_for_developers" title="Security checklist for developers"> </a></span> – a checklist of common development tasks, and the security measures necessary for those tasks <ul><li><a href="/wiki/Special:MyLanguage/Continuous_integration/Phan/Phan-taint-check-plugin" title="Special:MyLanguage/Continuous integration/Phan/Phan-taint-check-plugin">phan-taint-check-plugin</a><span style="display:none"><a href="/wiki/Continuous_integration/Phan/Phan-taint-check-plugin" class="mw-redirect" title="Continuous integration/Phan/Phan-taint-check-plugin"> </a></span> – a static analysis tool specifically for MediaWiki that checks your extension for common security flaws. Run as part of <a href="/wiki/Special:MyLanguage/Continuous_integration/Phan" title="Special:MyLanguage/Continuous integration/Phan">Phan</a><span style="display:none"><a href="/wiki/Continuous_integration/Phan" title="Continuous integration/Phan"> </a></span>.</li> <li><a href="/wiki/PhpStorm_project_security" title="PhpStorm project security">PhpStorm project security</a> – for developers who use the <a href="https://en.wikipedia.org/wiki/PhpStorm" class="extiw" title="w:PhpStorm">PhpStorm</a> development environment</li></ul></li> <li><a href="/wiki/Special:MyLanguage/Security" title="Special:MyLanguage/Security">Security</a><span style="display:none"><a href="/wiki/Security" title="Security"> </a></span> – How to report security issues in Wikimedia software</li> <li>Common vulnerabilities <ul><li><a href="/wiki/Special:MyLanguage/Cross-site_scripting" title="Special:MyLanguage/Cross-site scripting">Cross-site scripting</a><span style="display:none"><a href="/wiki/Cross-site_scripting" title="Cross-site scripting"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Cross-site_request_forgery" title="Special:MyLanguage/Cross-site request forgery">Cross-site request forgery</a><span style="display:none"><a href="/wiki/Cross-site_request_forgery" title="Cross-site request forgery"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/SQL_injection" title="Special:MyLanguage/SQL injection">SQL injection</a><span style="display:none"><a href="/wiki/SQL_injection" title="SQL injection"> </a></span></li> <li><a rel="nofollow" class="external text" href="https://www.owasp.org/">Open Web Application Security Project</a> (OWASP) – general overview of vulnerabilities</li></ul></li> <li><a href="/wiki/Special:MyLanguage/Manual:Security" title="Special:MyLanguage/Manual:Security">Manual:Security</a><span style="display:none"><a href="/wiki/Manual:Security" title="Manual:Security"> </a></span> – information for MediaWiki system administrators how to harden your MediaWiki installation</li></ul> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="Subpages" data-mw-thread-id="h-Subpages"><span data-mw-comment-start="" id="h-Subpages"></span>Subpages<span data-mw-comment-end="h-Subpages"></span></h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Security_for_developers&action=edit&section=10" title="Edit section: Subpages"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/Security_for_developers/Architecture" title="Security for developers/Architecture">Security for developers/Architecture</a></li> <li><a href="/wiki/Security_for_developers/Tutorial" title="Security for developers/Tutorial">Security for developers/Tutorial</a></li></ul> <p><br/> </p> <div class="navbox-styles nomobile"><style data-mw-deduplicate="TemplateStyles:r6230902">.mw-parser-output .navbox{border:1px solid #aaa;box-sizing:border-box;width:100%;margin:auto;clear:both;font-size:88%;text-align:center;padding:1px}.mw-parser-output .navbox-inner,.mw-parser-output .navbox-subgroup{width:100%}.mw-parser-output .navbox+.navbox-styles+.navbox{margin-top:-1px}.mw-parser-output .navbox th,.mw-parser-output .navbox-title,.mw-parser-output .navbox-abovebelow{text-align:center;padding-left:1em;padding-right:1em}.mw-parser-output th.navbox-group{white-space:nowrap;text-align:right}.mw-parser-output .navbox,.mw-parser-output .navbox-subgroup{background:#fdfdfd}.mw-parser-output .navbox-list{border-color:#fdfdfd}.mw-parser-output .navbox th,.mw-parser-output .navbox-title{background:#eaeeff}.mw-parser-output .navbox-abovebelow,.mw-parser-output th.navbox-group,.mw-parser-output .navbox-subgroup .navbox-title{background:#ddddff}.mw-parser-output .navbox-subgroup .navbox-group,.mw-parser-output .navbox-subgroup .navbox-abovebelow{background:#e6e6ff}.mw-parser-output .navbox-even{background:#f7f7f7}.mw-parser-output .navbox-odd{background:transparent}.mw-parser-output th.navbox-title1{border-left:2px solid #fdfdfd;width:100%}.mw-parser-output td.navbox-list1{text-align:left;border-left-width:2px;border-left-style:solid}.mw-parser-output .navbox .hlist td dl,.mw-parser-output .navbox .hlist td ol,.mw-parser-output .navbox .hlist td ul,.mw-parser-output .navbox td.hlist dl,.mw-parser-output .navbox td.hlist ol,.mw-parser-output .navbox td.hlist ul{padding:0.125em 0}.mw-parser-output .navbox .hlist dd,.mw-parser-output .navbox .hlist dt,.mw-parser-output .navbox .hlist li{white-space:nowrap}.mw-parser-output .navbox .hlist dd dl,.mw-parser-output .navbox .hlist dt dl,.mw-parser-output .navbox .hlist li ol,.mw-parser-output .navbox .hlist li ul{white-space:normal}.mw-parser-output ol+.navbox-styles+.navbox,.mw-parser-output ul+.navbox-styles+.navbox{margin-top:0.5em}</style></div><div role="navigation" class="navbox" aria-labelledby="Development_guidelines" style="border: 1px solid #aaa; padding: 3px;;padding:3px"><table class="nowraplinks hlist navbox-inner" style="border-spacing:0;background:transparent;color:inherit"><tbody><tr><th scope="col" class="navbox-title" colspan="2"><style data-mw-deduplicate="TemplateStyles:r6387430">.mw-parser-output .hlist dl,.mw-parser-output .hlist ol,.mw-parser-output .hlist ul{margin:0;padding:0}.mw-parser-output .hlist dd,.mw-parser-output .hlist dt,.mw-parser-output .hlist li{margin:0;display:inline}.mw-parser-output .hlist dl dl,.mw-parser-output .hlist dl ol,.mw-parser-output .hlist dl ul,.mw-parser-output .hlist ol dl,.mw-parser-output .hlist ol ol,.mw-parser-output .hlist ol ul,.mw-parser-output .hlist ul dl,.mw-parser-output .hlist ul ol,.mw-parser-output .hlist ul ul{display:inline}.mw-parser-output .hlist .mw-empty-li,.mw-parser-output .hlist .mw-empty-elt{display:none}.mw-parser-output .hlist dt:after{content:": "}.mw-parser-output .hlist dd:after,.mw-parser-output .hlist li:after{content:" · ";font-weight:bold}.mw-parser-output .hlist dd:last-child:after,.mw-parser-output .hlist dt:last-child:after,.mw-parser-output .hlist li:last-child:after{content:none}.mw-parser-output .hlist dd dd:first-child:before,.mw-parser-output .hlist dd dt:first-child:before,.mw-parser-output .hlist dd li:first-child:before,.mw-parser-output .hlist dt dd:first-child:before,.mw-parser-output .hlist dt dt:first-child:before,.mw-parser-output .hlist dt li:first-child:before,.mw-parser-output .hlist li dd:first-child:before,.mw-parser-output .hlist li dt:first-child:before,.mw-parser-output .hlist li li:first-child:before{content:" (";font-weight:normal}.mw-parser-output .hlist dd dd:last-child:after,.mw-parser-output .hlist dd dt:last-child:after,.mw-parser-output .hlist dd li:last-child:after,.mw-parser-output .hlist dt dd:last-child:after,.mw-parser-output .hlist dt dt:last-child:after,.mw-parser-output .hlist dt li:last-child:after,.mw-parser-output .hlist li dd:last-child:after,.mw-parser-output .hlist li dt:last-child:after,.mw-parser-output .hlist li li:last-child:after{content:")";font-weight:normal}.mw-parser-output .hlist ol{counter-reset:listitem}.mw-parser-output .hlist ol>li{counter-increment:listitem}.mw-parser-output .hlist ol>li:before{content:" "counter(listitem)"\a0 "}.mw-parser-output .hlist dd ol>li:first-child:before,.mw-parser-output .hlist dt ol>li:first-child:before,.mw-parser-output .hlist li ol>li:first-child:before{content:" ("counter(listitem)"\a0 "}</style><style data-mw-deduplicate="TemplateStyles:r4692751">.mw-parser-output .navbar{display:inline;font-size:88%;font-weight:normal}.mw-parser-output .navbar ul{display:inline;white-space:nowrap}.mw-parser-output .navbar li{word-spacing:-0.125em}.mw-parser-output .navbox .navbar{display:block;font-size:100%}.mw-parser-output .navbox-title .navbar{float:left;text-align:left;margin-right:0.5em;width:6em}</style><div class="plainlinks hlist navbar mini"><ul><li class="nv-view"><a href="/wiki/Template:Development_guidelines_navigation" title="Template:Development guidelines navigation"><abbr title="View this template" style=";;background:none transparent;border:none;box-shadow:none; padding:0;">v</abbr></a></li><li class="nv-talk"><a href="/wiki/Template_talk:Development_guidelines_navigation" title="Template talk:Development guidelines navigation"><abbr title="Discuss this template" style=";;background:none transparent;border:none;box-shadow:none; padding:0;">t</abbr></a></li><li class="nv-edit"><a class="external text" href="https://www.mediawiki.org/w/index.php?title=Template:Development_guidelines_navigation&action=edit"><abbr title="Edit this template" style=";;background:none transparent;border:none;box-shadow:none; padding:0;">e</abbr></a></li></ul></div><div id="Development_guidelines" style="font-size:114%;margin:0 4em"><a href="/wiki/Special:MyLanguage/Development_guidelines" title="Special:MyLanguage/Development guidelines"><span style="font-weight: bold;">Development guidelines</span></a><span style="display:none"><a href="/wiki/Development_guidelines" title="Development guidelines"> </a></span></div></th></tr><tr><th scope="row" class="navbox-group" style="width:1%">Policies</th><td class="navbox-list1 navbox-list navbox-odd" style="width:100%;padding:0px"><div style="padding:0em 0.25em"> <ul><li><a href="/wiki/Special:MyLanguage/Development_policy" title="Special:MyLanguage/Development policy">Development policy</a><span style="display:none"><a href="/wiki/Development_policy" title="Development policy"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Wikimedia_Engineering_Architecture_Principles" title="Special:MyLanguage/Wikimedia Engineering Architecture Principles">Architecture principles</a><span style="display:none"><a href="/wiki/Wikimedia_Engineering_Architecture_Principles" title="Wikimedia Engineering Architecture Principles"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Wikimedia_services_policy" title="Special:MyLanguage/Wikimedia services policy">Services policy</a><span style="display:none"><a href="/wiki/Wikimedia_services_policy" title="Wikimedia services policy"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Support_policy_for_PHP" title="Special:MyLanguage/Support policy for PHP">Support policy for PHP</a><span style="display:none"><a href="/wiki/Support_policy_for_PHP" title="Support policy for PHP"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Gerrit/Privilege_policy" title="Special:MyLanguage/Gerrit/Privilege policy">Gerrit/Privilege policy</a><span style="display:none"><a href="/wiki/Gerrit/Privilege_policy" title="Gerrit/Privilege policy"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Stable_interface_policy" title="Special:MyLanguage/Stable interface policy">Stable interface policy</a><span style="display:none"><a href="/wiki/Stable_interface_policy" title="Stable interface policy"> </a></span> <ul><li><a href="/wiki/Special:MyLanguage/Stable_interface_policy/Frontend" title="Special:MyLanguage/Stable interface policy/Frontend">Frontend</a><span style="display:none"><a href="/wiki/Stable_interface_policy/Frontend" title="Stable interface policy/Frontend"> </a></span></li></ul></li> <li><a href="/wiki/Special:MyLanguage/MediaWiki_database_policy" title="Special:MyLanguage/MediaWiki database policy">MediaWiki database policy</a><span style="display:none"><a href="/wiki/MediaWiki_database_policy" title="MediaWiki database policy"> </a></span></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">General guidelines</th><td class="navbox-list1 navbox-list navbox-even" style="width:100%;padding:0px"><div style="padding:0em 0.25em"> <ul><li><b><a href="/wiki/Special:MyLanguage/Security_for_developers" title="Special:MyLanguage/Security for developers">Security for developers</a></b><span style="display:none"><a class="mw-selflink selflink"> </a></span></li> <li><a href="https://wikitech.wikimedia.org/wiki/Performance/Guides/Backend_performance_practices" class="extiw" title="wikitech:Performance/Guides/Backend performance practices">Performance guidelines</a></li> <li><a href="/wiki/Special:MyLanguage/Gerrit/Commit_message_guidelines" title="Special:MyLanguage/Gerrit/Commit message guidelines">Commit message guidelines</a><span style="display:none"><a href="/wiki/Gerrit/Commit_message_guidelines" title="Gerrit/Commit message guidelines"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Security_checklist_for_developers" title="Special:MyLanguage/Security checklist for developers">Security checklist for developers</a><span style="display:none"><a href="/wiki/Security_checklist_for_developers" title="Security checklist for developers"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Localisation" title="Special:MyLanguage/Localisation">Localisation</a><span style="display:none"><a href="/wiki/Localisation" title="Localisation"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Design/Living_style_guide" title="Special:MyLanguage/Design/Living style guide">Design style guide</a><span style="display:none"><a href="/wiki/Design/Living_style_guide" title="Design/Living style guide"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Documentation/Style_guide" title="Special:MyLanguage/Documentation/Style guide">Documentation/Style guide</a><span style="display:none"><a href="/wiki/Documentation/Style_guide" title="Documentation/Style guide"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Accessibility_guide_for_developers" title="Special:MyLanguage/Accessibility guide for developers">Accessibility guide for developers</a><span style="display:none"><a href="/wiki/Accessibility_guide_for_developers" title="Accessibility guide for developers"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Inclusive_language" title="Special:MyLanguage/Inclusive language">Inclusive language</a><span style="display:none"><a href="/wiki/Inclusive_language" title="Inclusive language"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Guidelines_for_a_healthy_code_review_culture" title="Special:MyLanguage/Guidelines for a healthy code review culture">Guidelines for a healthy code review culture</a><span style="display:none"><a href="/wiki/Guidelines_for_a_healthy_code_review_culture" title="Guidelines for a healthy code review culture"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Collaborative_programming" title="Special:MyLanguage/Collaborative programming">Collaborative programming</a><span style="display:none"><a href="/wiki/Collaborative_programming" title="Collaborative programming"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Best_practices_for_extensions" title="Special:MyLanguage/Best practices for extensions">Best practices for extensions</a><span style="display:none"><a href="/wiki/Best_practices_for_extensions" title="Best practices for extensions"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Manual:Pre-commit_checklist" title="Special:MyLanguage/Manual:Pre-commit checklist">Pre-commit checklist</a><span style="display:none"><a href="/wiki/Manual:Pre-commit_checklist" title="Manual:Pre-commit checklist"> </a></span></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Code conventions</th><td class="navbox-list1 navbox-list navbox-odd" style="width:100%;padding:0px"><div style="padding:0em 0.25em"> <ul><li><a href="/wiki/Special:MyLanguage/Manual:Coding_conventions#Code_structure" title="Special:MyLanguage/Manual:Coding conventions">All languages</a><span style="display:none"><a href="/wiki/Manual:Coding_conventions#Code_structure" title="Manual:Coding conventions"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Manual:Coding_conventions/PHP" title="Special:MyLanguage/Manual:Coding conventions/PHP">PHP</a><span style="display:none"><a href="/wiki/Manual:Coding_conventions/PHP" title="Manual:Coding conventions/PHP"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Manual:PHP_unit_testing/Writing_unit_tests#Test_conventions" title="Special:MyLanguage/Manual:PHP unit testing/Writing unit tests">PHPUnit</a><span style="display:none"><a href="/wiki/Manual:PHP_unit_testing/Writing_unit_tests#Test_conventions" title="Manual:PHP unit testing/Writing unit tests"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Manual:Coding_conventions/JavaScript" title="Special:MyLanguage/Manual:Coding conventions/JavaScript">JavaScript</a><span style="display:none"><a href="/wiki/Manual:Coding_conventions/JavaScript" title="Manual:Coding conventions/JavaScript"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Manual:Coding_conventions/CSS" title="Special:MyLanguage/Manual:Coding conventions/CSS">CSS</a><span style="display:none"><a href="/wiki/Manual:Coding_conventions/CSS" title="Manual:Coding conventions/CSS"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Manual:Coding_conventions/Selenium" title="Special:MyLanguage/Manual:Coding conventions/Selenium">Selenium</a><span style="display:none"><a href="/wiki/Manual:Coding_conventions/Selenium" title="Manual:Coding conventions/Selenium"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Manual:Coding_conventions/Lua" title="Special:MyLanguage/Manual:Coding conventions/Lua">Lua</a><span style="display:none"><a href="/wiki/Manual:Coding_conventions/Lua" title="Manual:Coding conventions/Lua"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Manual:Coding_conventions/Python" title="Special:MyLanguage/Manual:Coding conventions/Python">Python</a><span style="display:none"><a href="/wiki/Manual:Coding_conventions/Python" title="Manual:Coding conventions/Python"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Manual:Coding_conventions/Java" title="Special:MyLanguage/Manual:Coding conventions/Java">Java</a><span style="display:none"><a href="/wiki/Manual:Coding_conventions/Java" title="Manual:Coding conventions/Java"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Manual:Coding_conventions/SVG" title="Special:MyLanguage/Manual:Coding conventions/SVG">SVG</a><span style="display:none"><a href="/wiki/Manual:Coding_conventions/SVG" title="Manual:Coding conventions/SVG"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Manual:Coding_conventions/Vue" title="Special:MyLanguage/Manual:Coding conventions/Vue">Vue</a><span style="display:none"><a href="/wiki/Manual:Coding_conventions/Vue" title="Manual:Coding conventions/Vue"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Manual:Coding_conventions/Database" title="Special:MyLanguage/Manual:Coding conventions/Database">Database schemas</a><span style="display:none"><a href="/wiki/Manual:Coding_conventions/Database" title="Manual:Coding conventions/Database"> </a></span></li> <li><a href="/wiki/Special:MyLanguage/Product_Analytics/Style_guide" title="Special:MyLanguage/Product Analytics/Style guide">Analytics (Python, R, SQL)</a><span style="display:none"><a href="/wiki/Product_Analytics/Style_guide" title="Product Analytics/Style guide"> </a></span></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">API client code</th><td class="navbox-list1 navbox-list navbox-even" style="width:100%;padding:0px"><div style="padding:0em 0.25em"> <ul><li><a href="/wiki/Special:MyLanguage/API:Client_code/Gold_standard" title="Special:MyLanguage/API:Client code/Gold standard">Standards for API client libraries</a><span style="display:none"><a href="/wiki/API:Client_code/Gold_standard" title="API:Client code/Gold standard"> </a></span></li></ul> </div></td></tr><tr><th scope="row" class="navbox-group" style="width:1%">Drafts</th><td class="navbox-list1 navbox-list navbox-odd" style="width:100%;padding:0px"><div style="padding:0em 0.25em"> <ul><li><i><a href="/wiki/Special:MyLanguage/Manual:Coding_conventions/Documentation" title="Special:MyLanguage/Manual:Coding conventions/Documentation">Code documentation</a><span style="display:none"><a href="/wiki/Manual:Coding_conventions/Documentation" title="Manual:Coding conventions/Documentation"> </a></span></i></li></ul> </div></td></tr></tbody></table></div>    </div><noscript><img src="https://login.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1" alt="" width="1" height="1" style="border: none; position: absolute;"></noscript> <div class="printfooter" data-nosnippet="">Retrieved from "<a dir="ltr" href="https://www.mediawiki.org/w/index.php?title=Security_for_developers&oldid=6603658">https://www.mediawiki.org/w/index.php?title=Security_for_developers&oldid=6603658</a>"</div></div> <div id="catlinks" class="catlinks" data-mw="interface"><div id="mw-normal-catlinks" class="mw-normal-catlinks"><a href="/wiki/Special:Categories" title="Special:Categories">Categories</a>: <ul><li><a href="/wiki/Category:Development_guidelines" title="Category:Development guidelines">Development guidelines</a></li><li><a href="/wiki/Category:Security" title="Category:Security">Security</a></li></ul></div></div> </div> </main> </div> <div class="mw-footer-container"> <footer id="footer" class="mw-footer" > <ul id="footer-info"> <li id="footer-info-lastmod"> This page was last edited on 26 June 2024, at 04:05.</li> <li id="footer-info-copyright">Text is available under the <a rel="nofollow" class="external text" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en">Creative Commons Attribution-ShareAlike License</a>; additional terms may apply. Text in <a class="external text" href="https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents">the Help: namespace</a> is available under the <a rel="nofollow" class="external text" href="https://creativecommons.org/publicdomain/zero/1.0/">Creative Commons CC0 License</a>. By using this site, you agree to the <a class="external text" href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Terms_of_Use">Terms of Use</a> and <a class="external text" href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy Policy</a>.</li> </ul> <ul id="footer-places"> <li id="footer-places-privacy"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy policy</a></li> <li id="footer-places-about"><a href="/wiki/Project:About">About mediawiki.org</a></li> <li id="footer-places-disclaimers"><a href="/wiki/Project:General_disclaimer">Disclaimers</a></li> <li id="footer-places-wm-codeofconduct"><a href="https://www.mediawiki.org/wiki/Special:MyLanguage/Code_of_Conduct">Code of Conduct</a></li> <li id="footer-places-developers"><a href="https://developer.wikimedia.org">Developers</a></li> <li id="footer-places-statslink"><a href="https://stats.wikimedia.org/#/www.mediawiki.org">Statistics</a></li> <li id="footer-places-cookiestatement"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Cookie_statement">Cookie statement</a></li> <li id="footer-places-mobileview"><a href="//m.mediawiki.org/w/index.php?title=Security_for_developers&mobileaction=toggle_view_mobile" class="noprint stopMobileRedirectToggle">Mobile view</a></li> </ul> <ul id="footer-icons" class="noprint"> <li id="footer-copyrightico"><a href="https://wikimediafoundation.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/static/images/footer/wikimedia-button.svg" width="84" height="29" alt="Wikimedia Foundation" loading="lazy"></a></li> <li id="footer-poweredbyico"><a href="https://www.mediawiki.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/w/resources/assets/poweredby_mediawiki.svg" alt="Powered by MediaWiki" width="88" height="31" loading="lazy"></a></li> </ul> </footer> </div> </div> </div> <div class="vector-settings" id="p-dock-bottom"> <ul></ul> </div><script>(RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgHostname":"mw-web.codfw.main-795c86c559-skq8b","wgBackendResponseTime":105,"wgDiscussionToolsPageThreads":[{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Why_security_matters","replies":[]},{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Demonstrable_security","replies":[]},{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Overview_of_security_vulnerabilities_and_attacks","replies":[{"headingLevel":3,"name":"h-","type":"heading","level":0,"id":"h-Cross-site_scripting_(XSS)-Overview_of_security_vulnerabilities_and_attacks","replies":[]},{"headingLevel":3,"name":"h-","type":"heading","level":0,"id":"h-Cross-site_request_forgery_(CSRF)-Overview_of_security_vulnerabilities_and_attacks","replies":[]},{"headingLevel":3,"name":"h-","type":"heading","level":0,"id":"h-SQL_injection-Overview_of_security_vulnerabilities_and_attacks","replies":[]},{"headingLevel":3,"name":"h-","type":"heading","level":0,"id":"h-serialize()_/_unserialize()-Overview_of_security_vulnerabilities_and_attacks","replies":[]},{"headingLevel":3,"name":"h-","type":"heading","level":0,"id":"h-Historical-Overview_of_security_vulnerabilities_and_attacks","replies":[]}]},{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-See_also","replies":[]},{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Subpages","replies":[]}],"wgPageParseReport":{"discussiontools":{"limitreport-timeusage":"0.016"},"limitreport":{"cputime":"0.499","walltime":"0.656","ppvisitednodes":{"value":3517,"limit":1000000},"postexpandincludesize":{"value":49297,"limit":2097152},"templateargumentsize":{"value":12312,"limit":2097152},"expansiondepth":{"value":16,"limit":100},"expensivefunctioncount":{"value":56,"limit":500},"unstrip-depth":{"value":0,"limit":20},"unstrip-size":{"value":9255,"limit":5000000},"entityaccesscount":{"value":0,"limit":400},"timingprofile":["100.00% 412.430 1 -total"," 62.19% 256.477 1 Template:Conventions_navigation"," 60.75% 250.566 1 Template:Navbox"," 60.40% 249.104 48 Template:Ll"," 22.43% 92.504 96 Template:Translatable"," 19.04% 78.543 48 Template:Pagelang"," 12.13% 50.026 1 Template:Development_guideline"," 11.56% 47.662 22 Template:TNTN"," 10.76% 44.385 1 Template:Mbox"," 2.26% 9.327 2 Template:Phpi"]},"scribunto":{"limitreport-timeusage":{"value":"0.190","limit":"10.000"},"limitreport-memusage":{"value":1683470,"limit":52428800}},"cachereport":{"origin":"mw-web.eqiad.main-554bb6b4dc-slt55","timestamp":"20241127140512","ttl":2592000,"transientcontent":false}}});});</script> </body> </html>