Merge pull request #7389 from kenjis/update-concepts-security.rst

docs: improve concepts/security.rst

Author: kenjis

user_guide_src/source/concepts/security.rst

@@ -38,8 +38,9 @@ OWASP recommendations
 CodeIgniter provisions
 ======================
 
-- :doc:`HTTP library <../incoming/incomingrequest>` provides for input field filtering & content metadata
-- Validation library
+- :ref:`invalidchars` filter
+- :doc:`../libraries/validation` library
+- :doc:`HTTP library <../incoming/incomingrequest>` provides for :ref:`input field filtering <incomingrequest-filtering-input-data>` & content metadata
 
 *********************************************
 A2 Weak authentication and session management
@@ -62,6 +63,7 @@ CodeIgniter provisions
 
 - :doc:`Session <../libraries/sessions>` library
 - :doc:`Security </libraries/security>` library provides for CSRF validation
+- An official authentication and authorization framework :ref:`CodeIgniter Shield <shield>`
 - Easy to add third party authentication
 
 *****************************
@@ -81,8 +83,9 @@ OWASP recommendations
 CodeIgniter provisions
 ======================
 
-- esc function
-- Validation library
+- :php:func:`esc()` function
+- :doc:`../libraries/validation` library
+- Support for :ref:`content-security-policy`
 
 ***********************************
 A4 Insecure Direct Object Reference
@@ -103,7 +106,8 @@ OWASP recommendations
 CodeIgniter provisions
 ======================
 
-- Validation library
+- :doc:`../libraries/validation` library
+- An official authentication and authorization framework :ref:`CodeIgniter Shield <shield>`
 - Easy to add third party authentication
 
 ****************************
@@ -144,7 +148,10 @@ OWASP recommendations
 CodeIgniter provisions
 ======================
 
-- Session keys stored encrypted
+- The config for global secure access (``Config\App::$forceGlobalSecureRequests``)
+- :php:func:`force_https()` function
+- :doc:`../libraries/encryption`
+- The :ref:`database config <database-config-explanation-of-values>` (``encrypt``)
 
 ****************************************
 A7 Missing Function Level Access Control
@@ -165,8 +172,8 @@ OWASP recommendations
 CodeIgniter provisions
 ======================
 
-- Public folder, with application and system outside
-- :doc:`Security </libraries/security>` library provides for CSRF validation
+- :ref:`Public <application-structure-public>` folder, with application and system outside
+- :doc:`Security </libraries/security>` library provides for :ref:`CSRF validation <cross-site-request-forgery>`
 
 ************************************
 A8 Cross Site Request Forgery (CSRF)
@@ -185,7 +192,7 @@ OWASP recommendations
 CodeIgniter provisions
 ======================
 
-- :doc:`Security </libraries/security>` library provides for CSRF validation
+- :doc:`Security </libraries/security>` library provides for :ref:`CSRF validation <cross-site-request-forgery>`
 
 **********************************************
 A9 Using Components with Known Vulnerabilities
@@ -222,4 +229,4 @@ CodeIgniter provisions
 ======================
 
 - :doc:`HTTP library <../incoming/incomingrequest>` provides for ...
-- :doc:`Session <../libraries/sessions>` library provides flashdata
+- :doc:`Session <../libraries/sessions>` library provides :ref:`sessions-flashdata`

user_guide_src/source/concepts/structure.rst

@@ -58,6 +58,8 @@ extend the classes, or create new classes, to provide the desired functionality.
 
 All files in this directory live under the ``CodeIgniter`` namespace.
 
+.. _application-structure-public:
+
 public
 ======
 

user_guide_src/source/database/configuration.rst

@@ -132,6 +132,8 @@ and decode it in the constructor in the Config class:
 
 .. literalinclude:: configuration/009.php
 
+.. _database-config-explanation-of-values:
+
 **********************
 Explanation of Values:
 **********************

user_guide_src/source/incoming/filters.rst

@@ -204,6 +204,8 @@ The filters bundled with CodeIgniter4 are: :doc:`Honeypot <../libraries/honeypot
 
 .. note:: The filters are executed in the order defined in the config file. However, if enabled, ``DebugToolbar`` is always executed last because it should be able to capture everything that happens in the other filters.
 
+.. _invalidchars:
+
 InvalidChars
 =============
 

user_guide_src/source/incoming/incomingrequest.rst

@@ -173,6 +173,8 @@ You can also use ``getRawInputVar()``, to get the specified variable from raw st
 
 .. literalinclude:: incomingrequest/039.php
 
+.. _incomingrequest-filtering-input-data:
+
 Filtering Input Data
 ====================
 

user_guide_src/source/libraries/sessions.rst

@@ -214,6 +214,8 @@ This method also accepts an array of item keys to unset:
 
 .. literalinclude:: sessions/018.php
 
+.. _sessions-flashdata:
+
 Flashdata
 =========