Fix Security Misconfiguration in CodeIgniter

CodeIgniter's 'convention over configuration' often leads to lazy security postures. Leaving the environment in development mode or failing to harden the Security and Cookie configurations allows for trivial Information Disclosure, CSRF, and Session Hijacking. We are going to lock down the environment variables and force strict transport security settings.

The Vulnerable Pattern

// .env
CI_ENVIRONMENT = development
// app/Config/Security.php
public $csrfProtection  = ‘cookie’;
public $regenerate      = false;
// app/Config/Cookie.php
public $secure   = false;
public $httponly = false;
public $samesite = ‘None’;

The Secure Implementation

Switching CI_ENVIRONMENT to 'production' disables the Whoops/Debug toolbar, preventing stack trace leakage. Migrating CSRF protection to 'session' storage prevents attackers from manipulating the CSRF token via client-side injection. Enforcing 'httponly' and 'secure' flags on cookies ensures that session identifiers are never accessible via JavaScript and are never transmitted over unencrypted channels. Setting 'samesite' to 'Lax' adds a browser-level layer of defense against cross-site request forgery.

// .env
CI_ENVIRONMENT = production
// app/Config/Security.php
public $csrfProtection  = ‘session’; // Stronger than cookie-based
public $tokenName       = ‘csrf_token_prod’;
public $headerName      = ‘X-CSRF-TOKEN’;
public $regenerate      = true;      // Prevent token reuse
public $redirect        = true;
// app/Config/Cookie.php
public $secure   = true;   // Encrypted transport only
public $httponly = true;   // Mitigates XSS-based cookie theft
public $samesite = ‘Lax’;  // Prevents CSRF on cross-site requests