CodeIgniter support some basic web security by default!
I think its better to enable this basic security options by default.
It’s more likely that users who build a new website or application from
ground up, and use CodeIgniter can get used to this and eventually turn
this off. From a web security perspective, we can support a more secure
web, by default! Who agrees?
diff --git a/application/config/config.php b/application/config/config.php
index ae748de..4ee87ae 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -302,11 +302,11 @@
$config['sess_valid_drivers'] = array();
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
-$config['sess_expire_on_close'] = FALSE;
-$config['sess_encrypt_cookie'] = FALSE;
+$config['sess_expire_on_close'] = TRUE;
+$config['sess_encrypt_cookie'] = TRUE;
$config['sess_use_database'] = FALSE;
$config['sess_table_name'] = 'ci_sessions';
-$config['sess_match_ip'] = FALSE;
+$config['sess_match_ip'] = TRUE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;
@@ -351,7 +351,7 @@
| COOKIE data is encountered
|
*/
-$config['global_xss_filtering'] = FALSE;
+$config['global_xss_filtering'] = TRUE;
/*
|--------------------------------------------------------------------------