Hello,

I hope it's ok to discuss this offtopic question, otherwise feel free to delete it.

As I was reading through the "Welcome to the GrapheneOS discussion forum!" topic, I came across a post from Daniel (strcat), in which he talks about why the GrapheneOS team choosed to use Flarum as the forum software and that they explitly tried to avoid PHP. This gave me the impression that PHP is insecure and should therefore be avoided. Did I misinterpreted something or is it true that PHP is considered as insecure?

What are better alternatives to PHP?

There was also a part in the mentioned post above, that Daniel would prefer PostgreSQL, which led me to a similiar question: what are secure databases? What are insecure databases?

And now I'm going crazy: if you would develop some general sort of web page/application from ground up, what software/frameworks would you consider? What would you try to avoid?

I know that these are vague questions and that it always depends, but it would be nice to get some kind of direction.

Thanks ;)

      Now that i think about it.. Danial bro prefer nginx instead of apache! So is nginx more secure then apache?

      Personally I'm not well versed in PHP, but there are some hints:

      • The implementation: PHP doesn't have the greatest track record when it comes to security.
      • The language: it's a permissive language and as such leaves a huge room for "bad code".
      • The ecosystem: it can get very bad too, with buggy libraries being legion.

      PHP itself isn't fundamentally insecure. There are sane libraries and sane frameworks/subsets of PHP that you can use, and as long as you keep the engine up-to-date, there shouldn't be major issues. But the thing is, PHP is popular, so there is a lot of mess that happened and will happen.

      Security modules such as Snuffleupagus can be used to kill entire bug classes. Maybe you can read about them so that can give you an idea of common PHP code weaknesses.

      Flarum, in this case, doesn't look too bad and is modern PHP software.

      And now I'm going crazy: if you would develop some general sort of web page/application from ground up, what software/frameworks would you consider? What would you try to avoid?

      I would just learn Go as it seems particularly suited for web apps and has a nicer ecosystem.

      So is nginx more secure then apache?

      nginx and Apache suffer both from having a memory-unsafe codebase (written in C). From the looks of it, nginx seems to have a better security track record which may indicate a saner codebase. It also has more security features and is well-regarded in general.

      The only memory-safe alternative I'm aware of is caddy but it lacks features and is way less efficient at the moment.

        Taltessy @Wonderfall answered everything pretty well so I'll just comment on this:

        And now I'm going crazy: if you would develop some general sort of web page/application from ground up, what software/frameworks would you consider? What would you try to avoid?

        Definitely avoid memory-unsafe languages like C/C++ in the backend. I'd also recommend avoiding JavaScript and even Typescript in the backend. They're not type safe or good for untrusted input validation and the Node.js ecosystem is a notorious dependency hell with outdated dependencies with vulnerabilities. Rust is good but its web ecosystem is quite young and there isn't a de-facto best web server framework yet. I think Go is a good choice since it's mostly memory safe (it doesn't protect against data races) and has a very fleshed out standard library with APIs you'll typically need in a webserver, e.g. HTTP, SQL, JSON (not to mention official libraries for OAuth2, argon2, etc.). Kotlin/Java seem fine too although I know less about the state of their web ecosystems.

        As for frontend, I'd tend to avoid SPA frameworks for similar reasons to avoiding Node.js but honestly I don't know much about their individual dependency management and security practices/features. That's something I would like to look into.

          Marking this as solved.

          10 days later

          Wonderfall nginx and Apache suffer both from having a memory-unsafe codebase (written in C). From the looks of it, nginx seems to have a better security track record which may indicate a saner codebase. It also has more security features and is well-regarded in general.

          The only memory-safe alternative I'm aware of is caddy but it lacks features and is way less efficient at the moment.

          Finally i switched to NGINX 😮‍💨 it was hard but after using apache2 long time and understanding how which feature works! After reading NGINX Docs i did my best and it seems like everything worked Fine! 🤘🏻😀 ! It took me my whole 2 days of Research 😷

              UnOrdinary Thanks for that feedback. I have also been looking to make the switch. I've used Apache for a looong time though nothing serious or "production" level, so may have a similar experience.