Security & Environments

HexPHP natively powers a zero-dependency .env file parser and robust CSRF architectures seamlessly integrated into the front controller.

Environment Variables

Configuration goes in your root .env file. The framework dynamically parses this file without relying on bulky third-party libraries. You can retrieve these values anywhere in your application securely using \App\Core\Env::get().

<?php
// e.g. grabbing your database connection settings
$database = \App\Core\Env::get('DB_DATABASE', 'default_sqlite.db');
$connection = \App\Core\Env::get('DB_CONNECTION');

CSRF Protection

Session storage is forced open at `index.php`. The framework immediately generates a cryptographically secure token tied heavily to the browser session. Furthermore, using `System::scripts()`, HexPHP automatically attaches this token securely to every outputting HTMX request—freeing you from doing manual CSRF validation forms.

<?php
// In a form component, output it manually if needed:
echo '<input type="hidden" name="csrf_token" value="' . \App\Core\Security::csrfToken() . '">';

// In a controller that handles form posting, verify it easily:
if (!\App\Core\Security::verifyCsrf($_POST['csrf_token'] ?? '')) {
    \App\Controllers\Router::abort(403, 'CSRF Token Mismatch');
}