Security

CSRF Protection: Added nonce-based state validation with round-trip via RelayState
XSS Prevention: HTML escaping in all POST binding forms (escapeHtml())
Open Redirect Prevention: URL validation blocks absolute URLs by default (isValidRedirectUrl())
XXE Protection: Disabled external entity loading in libxml2 _(xmlSubstituteEntitiesDefault(0))
Session Fixation: Session regeneration after successful authentication
Path Traversal Prevention: Improved validation using path.relative() and isAbsolute()
Memory Safety: Use explicit_bzero() for secure erasure of private keys (POSIX/Windows)
Input Validation: Metadata size limit (10 MB) to prevent DoS
Error Handling: Throw errors on session/identity restoration failure instead of silent fallback

Provide feedback

No results found