Every line of ForgeStack code is written with security as a first-class constraint — not an afterthought, not a checkbox. We don't ship code we wouldn't trust with our own production data.
The average PHP developer starts a new project, reuses some old auth code, skips the security review, and ships. This is how breaches happen.
The IBM Cost of a Data Breach Report 2024 puts the global average at $4.88M per incident. For a small SaaS product, a single breach is existential.
Studies consistently show the majority of web applications contain at least one OWASP Top 10 vulnerability — most introduced during rushed initial setup, not later feature development.
Every ForgeStack product ships with zero known vulnerabilities. Not because we claim it — because every release is audited, scanned, and tested before it leaves our hands.
"Security is not a feature.
It's the foundation everything else is built on."
We don't add security at the end of a sprint. Authentication, encryption, input validation, rate limiting, and audit logging are present from line one — because retrofitting security into an existing codebase is far harder than starting with it in place.
Multiple independent security layers — so no single misconfiguration creates a breach. Encryption, auth, input validation, rate limiting, and audit logging all work independently.
Every request is treated as untrusted until proven otherwise. CSRF on every form, rate limiting on every auth route, parameterized queries everywhere — not just where it's convenient.
We publish exactly what we check on every release. No vague "security improvements" in changelogs. Every control is named, every CVE fix is documented, every test is public in the CI config.
Every release is scanned against OWASP Top 10, audited with PHPStan Level 8, and verified with composer audit before the version tag is pushed.
Critical CVEs are patched and released within 24 hours of public disclosure. Non-critical patches ship in the next scheduled release. Active subscribers are notified by email.
Security is never traded away for development speed. If a feature would require bypassing a security control, the feature waits — or the security model evolves properly.
The OWASP Top 10 is the industry standard for web application security risk. Here is the exact technical control we implement for each item — not claims, implementations.
| # | Vulnerability | Control in ForgeStack | Layer |
|---|---|---|---|
| A01 | Broken Access Control | Symfony Security voter system with role hierarchy (ROLE_USER → ROLE_ADMIN). All admin routes behind access_control firewall. EasyAdmin with per-entity permission rules. Principle of least privilege throughout — no business logic in controllers. | Framework |
| A02 | Cryptographic Failures | AES-256-CFB + HMAC-SHA256 (Encrypt-then-MAC) for all PII fields at the entity layer. Symfony PasswordHasher (Argon2id/bcrypt) for passwords. No MD5 or SHA-1 anywhere in the codebase. PII_KEY injected from environment — never stored in the database. | Entity layer |
| A03 | Injection (SQL, XSS, etc.) | Doctrine ORM with parameterized queries by default — zero raw SQL in ForgeStack code. Twig auto-escaping on all output. Symfony Validator on all user input. CSRF tokens on every state-changing form. | All layers |
| A04 | Insecure Design | Architecture follows principle of least privilege. Entities own their own validation rules. No business logic in controllers. PHPStan Level 8 enforces strict type safety at build time. Security reviewed per module before release. | Architecture |
| A05 | Security Misconfiguration | Production Docker profile ships secure by default: Xdebug OFF, OPcache ON, display_errors OFF, expose_php OFF. Nginx security headers configured. CORS configured. No debug toolbar, no stack traces in production responses. | Docker / Config |
| A06 | Vulnerable Components | composer audit runs on every CI execution against the PHP Security Advisories Database. No release ships with known CVEs. Dependencies updated monthly minimum. Critical CVE patches released within 24 hours of disclosure. | CI/CD |
| A07 | Auth & Session Failures | Symfony Rate Limiter on login (5 attempts / 15 min). TOTP 2FA in Auth module. Secure-only session cookies. Password reset tokens: single-use, 1-hour expiry. Account enumeration protected via constant-time responses. | Auth module |
| A08 | Software & Data Integrity Failures | Signed releases with GitHub attestations. Composer lock file committed and verified on every install. No unsigned or third-party CDN resources in production builds — all assets served from your own infrastructure. | Supply chain |
| A09 | Security Logging & Monitoring Failures | Symfony Monolog audit log channel included and pre-configured. Authentication events, permission denials, and rate-limit triggers are logged. Log storage kept separate from application logs for tamper resistance. | Logging |
| A10 | Server-Side Request Forgery (SSRF) | Outbound HTTP exclusively via Symfony HttpClient with explicit timeout configuration. No server-side URL fetch from user-supplied input in any ForgeStack code. Allowlist pattern documented for any integration requiring outbound requests. | HTTP layer |
No code reaches a version tag without passing every one of these gates. The pipeline fails loudly — it doesn't warn and continue.
The strictest level of PHP static analysis. Zero type errors, zero null pointer issues, zero dead code permitted. Type safety is enforced at build time — not discovered at runtime when a user's data is at risk.
Queries the PHP Security Advisories Database against the exact locked dependency versions. Any known CVE in any dependency — direct or transitive — fails the build and blocks the release.
Unit tests for all service classes. Functional tests covering auth flows, admin access control, webhook delivery, and module install procedures — run against a real PostgreSQL container, not mocks.
A deliberate, human review of every OWASP Top 10 item against any new code surface. Signed off by Ruben personally on every module release. This is the control that automation cannot replace.
These are not aspirational targets — they are commitments we hold ourselves to publicly. Breach of these SLAs will be disclosed in our changelog.
Any vulnerability rated Critical (CVSS ≥ 9.0) in a dependency or in ForgeStack code itself is patched and released within 24 hours of public disclosure. Active update subscribers are notified immediately.
All Composer dependencies are reviewed and updated at minimum monthly — regardless of whether any CVE has been disclosed. This keeps the dependency tree current and reduces exposure window.
Every version tag — patch, minor, and major — triggers a full OWASP checklist review, PHPStan run, and composer audit before the release is published.
Every security patch release triggers an email to all active update subscribers with the CVE reference, affected versions, recommended action, and a plain-English explanation of the risk. You are never left to discover a security issue in a changelog buried on a GitHub releases page.
Your purchased ForgeStack installation runs entirely on your own infrastructure. There is no telemetry, no phone-home mechanism, and no remote disable capability.
No internet connection is required at runtime. No license server ping, no usage telemetry. Your app boots and serves traffic without ever contacting ForgeStack servers.
If your update subscription lapses, your installed version keeps running indefinitely. The only consequence is that future security patches and new modules stop being delivered.
ForgeStack cannot read, access, or transmit any data from your application. Your database credentials, PII, and business data exist solely on infrastructure you control.
Even the 14-day trial uses a locally-validated JWT signed with our RSA key. No network call is made to check trial status — the trial image validates the signature offline using the embedded public key.
You purchase → receive a REGISTRY_TOKEN scoped to image pulls
Token is used only for docker compose pull — fetching updated base images
Your running application never calls the token endpoint — it only matters when you explicitly run make update
Subscription lapse → token revoked → make update fails gracefully. Your app keeps serving traffic on the current version.
We publicly commit to maintaining zero known critical vulnerabilities across every ForgeStack product at the time of release. Every version that leaves our repository has passed PHPStan Level 8 analysis, a clean
composer audit, and a manual OWASP Top 10 review.If a security vulnerability is discovered in your purchased version, we will notify you directly by email within 24 hours and ship a fix before public disclosure. We will never quietly patch a vulnerability and bury it in a changelog.
Your users' data is your reputation. We take that seriously — not as a marketing statement, but as the reason this product exists.
Found a vulnerability? Contact us directly.
Report a VulnerabilityMore questions? Contact us or visit the full FAQ.
Every line audited. Every release verified. Every CVE patched in under 24 hours. Stop worrying about security — we handle it.
14-day money-back guarantee · One-time payment · 12 months of updates