{"id":14966410,"url":"https://github.com/yiisoft/security","last_synced_at":"2025-04-09T18:18:24.523Z","repository":{"id":34983181,"uuid":"194089754","full_name":"yiisoft/security","owner":"yiisoft","description":"A set of classes to handle common security-related tasks","archived":false,"fork":false,"pushed_at":"2025-03-04T14:34:24.000Z","size":183,"stargazers_count":42,"open_issues_count":0,"forks_count":11,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-04-09T18:18:20.637Z","etag":null,"topics":["decryption","encryption","hacktoberfest","masking","password","random","security","signature","tampering","token","yii3"],"latest_commit_sha":null,"homepage":"https://www.yiiframework.com/","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yiisoft.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE.md","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"open_collective":"yiisoft","github":["yiisoft"]}},"created_at":"2019-06-27T12:19:08.000Z","updated_at":"2025-03-04T14:34:28.000Z","dependencies_parsed_at":"2024-11-05T15:42:53.296Z","dependency_job_id":null,"html_url":"https://github.com/yiisoft/security","commit_stats":{"total_commits":101,"total_committers":15,"mean_commits":6.733333333333333,"dds":0.4257425742574258,"last_synced_commit":"091250f55259bd0b2af2ce73776ba24aca70856e"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":"yiisoft/package-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yiisoft%2Fsecurity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yiisoft%2Fsecurity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yiisoft%2Fsecurity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yiisoft%2Fsecurity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yiisoft","download_url":"https://codeload.github.com/yiisoft/security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248085326,"owners_count":21045139,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["decryption","encryption","hacktoberfest","masking","password","random","security","signature","tampering","token","yii3"],"created_at":"2024-09-24T13:36:20.681Z","updated_at":"2025-04-09T18:18:24.503Z","avatar_url":"https://github.com/yiisoft.png","language":"PHP","readme":"\u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/yiisoft\" target=\"_blank\"\u003e\n        \u003cimg src=\"https://yiisoft.github.io/docs/images/yii_logo.svg\" height=\"100px\" alt=\"Yii\"\u003e\n    \u003c/a\u003e\n    \u003ch1 align=\"center\"\u003eYii Security\u003c/h1\u003e\n    \u003cbr\u003e\n\u003c/p\u003e\n\n[![Latest Stable Version](https://poser.pugx.org/yiisoft/security/v)](https://packagist.org/packages/yiisoft/security)\n[![Total Downloads](https://poser.pugx.org/yiisoft/security/downloads)](https://packagist.org/packages/yiisoft/security)\n[![Build status](https://github.com/yiisoft/security/actions/workflows/build.yml/badge.svg)](https://github.com/yiisoft/security/actions/workflows/build.yml)\n[![Code Coverage](https://codecov.io/gh/yiisoft/security/graph/badge.svg?token=PLDTLEJ782)](https://codecov.io/gh/yiisoft/security)\n[![Mutation testing badge](https://img.shields.io/endpoint?style=flat\u0026url=https%3A%2F%2Fbadge-api.stryker-mutator.io%2Fgithub.com%2Fyiisoft%2Fsecurity%2Fmaster)](https://dashboard.stryker-mutator.io/reports/github.com/yiisoft/security/master)\n[![static analysis](https://github.com/yiisoft/security/workflows/static%20analysis/badge.svg)](https://github.com/yiisoft/security/actions?query=workflow%3A%22static+analysis%22)\n[![type-coverage](https://shepherd.dev/github/yiisoft/security/coverage.svg)](https://shepherd.dev/github/yiisoft/security)\n\nSecurity package provides a set of classes to handle common security-related tasks:\n\n- Random values generation\n- Password hashing and validation\n- Encryption and decryption\n- Data tampering prevention\n- Masking token length\n\n## Requirements\n\n- PHP 8.1 or higher.\n- `hash` PHP extension.\n- `openssl` PHP extension.\n\n## Installation\n\nThe package could be installed with [Composer](https://getcomposer.org):\n\n```shell\ncomposer require yiisoft/security\n```\n\n## General usage\n\n### Random values generation\n\nIn order to generate a string that is 42 characters long use:\n\n```php\n$randomString = Random::string(42);\n```\n\nThe following extras are available via PHP directly:\n\n- `random_bytes()` for bytes. Note that output may not be ASCII.\n- `random_int()` for integers.\n\n### Password hashing and validation\n\nWorking with passwords includes two steps. Saving password hashes:\n\n```php\n$hash = (new PasswordHasher())-\u003ehash($password);\n\n// save hash to database or another storage\nsaveHash($hash); \n```\n\nValidating password against the hash:\n\n```php\n// obtain hash from database or another storage\n$hash = getHash();\n\n$result = (new PasswordHasher())-\u003evalidate($password, $hash); \n```\n\n### Encryption and decryption by password\n\nEncrypting data:\n\n```php\n$encryptedData = (new Crypt())-\u003eencryptByPassword($data, $password);\n\n// save data to database or another storage\nsaveData($encryptedData);\n```\n\nDecrypting it:\n\n```php\n// obtain encrypted data from database or another storage\n$encryptedData = getEncryptedData();\n\n$data = (new Crypt())-\u003edecryptByPassword($encryptedData, $password);\n```\n\n### Encryption and decryption by key\n\nEncrypting data:\n\n```php\n$encryptedData = (new Crypt())-\u003eencryptByKey($data, $key);\n\n// save data to database or another storage\nsaveData($encryptedData);\n```\n\nDecrypting it:\n\n```php\n// obtain encrypted data from database or another storage\n$encryptedData = getEncryptedData();\n\n$data = (new Crypt())-\u003edecryptByKey($encryptedData, $key);\n```\n\n### Data tampering prevention\n\nMAC signing could be used in order to prevent data tampering. The `$key` should be present at both sending and receiving\nsides. At the sending side:\n\n```php\n$signedMessage = (new Mac())-\u003esign($message, $key);\n\nsendMessage($signedMessage);\n```\n\nAt the receiving side:\n\n```php\n$signedMessage = receiveMessage($signedMessage);\n\ntry {\n    $message = (new Mac())-\u003egetMessage($signedMessage, $key);\n} catch (\\Yiisoft\\Security\\DataIsTamperedException $e) {\n    // data is tampered\n}\n```\n\n### Masking token length\n\nMasking a token helps to mitigate BREACH attack by randomizing how token outputted on each request.\nA random mask applied to the token making the string always unique.\n\nIn order to mask a token:\n\n```php\n$maskedToken = \\Yiisoft\\Security\\TokenMask::apply($token);\n```\n\nIn order to get original value from the masked one:\n\n```php\n$token = \\Yiisoft\\Security\\TokenMask::remove($maskedToken);\n```\n\n### Native PHP functionality\n\nAdditionally to this library methods, there is a set of handy native PHP methods.\n\n#### Timing attack resistant string comparison\n\nComparing strings as usual is not secure when dealing with user inputed passwords or key phrases. Usual string comparison\nreturn as soon as a difference between the strings is found so attacker could efficiently brute-force character by character\ngoing to the next one as soon as response time increases.\n\nThere is a special function in PHP that compares strings in a constant time:\n\n```php\nhash_equals($expected, $actual);\n```\n\n## Documentation\n\n- [Internals](docs/internals.md)\n\nIf you need help or have a question, the [Yii Forum](https://forum.yiiframework.com/c/yii-3-0/63) is a good place for that.\nYou may also check out other [Yii Community Resources](https://www.yiiframework.com/community).\n\n## License\n\nThe Yii Security is free software. It is released under the terms of the BSD License.\nPlease see [`LICENSE`](./LICENSE.md) for more information.\n\nMaintained by [Yii Software](https://www.yiiframework.com/).\n\n## Support the project\n\n[![Open Collective](https://img.shields.io/badge/Open%20Collective-sponsor-7eadf1?logo=open%20collective\u0026logoColor=7eadf1\u0026labelColor=555555)](https://opencollective.com/yiisoft)\n\n## Follow updates\n\n[![Official website](https://img.shields.io/badge/Powered_by-Yii_Framework-green.svg?style=flat)](https://www.yiiframework.com/)\n[![Twitter](https://img.shields.io/badge/twitter-follow-1DA1F2?logo=twitter\u0026logoColor=1DA1F2\u0026labelColor=555555?style=flat)](https://twitter.com/yiiframework)\n[![Telegram](https://img.shields.io/badge/telegram-join-1DA1F2?style=flat\u0026logo=telegram)](https://t.me/yii3en)\n[![Facebook](https://img.shields.io/badge/facebook-join-1DA1F2?style=flat\u0026logo=facebook\u0026logoColor=ffffff)](https://www.facebook.com/groups/yiitalk)\n[![Slack](https://img.shields.io/badge/slack-join-1DA1F2?style=flat\u0026logo=slack)](https://yiiframework.com/go/slack)\n","funding_links":["https://opencollective.com/yiisoft","https://github.com/sponsors/yiisoft"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyiisoft%2Fsecurity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyiisoft%2Fsecurity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyiisoft%2Fsecurity/lists"}