Zero Trust
Also Known As
zero trust architecture
ZTA
never trust always verify
TL;DR
Never trust, always verify — authenticate and authorise every request regardless of network location.
Explanation
Zero Trust is a security model that eliminates the concept of a trusted internal network. Traditional perimeter security assumes anything inside the firewall is safe — Zero Trust assumes breach and verifies every request as if it originates from an untrusted network. In practice: authenticate every user and device, authorise every individual resource access, encrypt all traffic (including internal), log everything, and grant least-privilege access. Particularly important for cloud and hybrid environments where the "inside" is not well-defined.
Common Misconception
✗ Zero trust means no one is ever authenticated or trusted. Zero trust means trust is never assumed based on network location — every request is authenticated, authorised, and encrypted regardless of whether it originates inside or outside the perimeter.
Why It Matters
Zero trust assumes no request is trustworthy by default — every request is authenticated and authorised regardless of network location, eliminating the 'trusted internal network' assumption attackers abuse.
Common Mistakes
- Trusting requests because they come from an internal IP — internal networks are routinely compromised.
- Service-to-service calls without authentication — a compromised internal service gets unrestricted access.
- Long-lived credentials instead of short-lived tokens — compromised credentials have a longer attack window.
- Not logging and monitoring internal traffic — lateral movement after initial compromise goes undetected.
Code Examples
✗ Vulnerable
// Trust based on network location:
if (in_array($_SERVER['REMOTE_ADDR'], $internal_ips)) {
// Bypass authentication — 'trusted' internal request
return $this->handleAdminAction($request);
}
// Attacker on internal network (via phishing, supply chain) bypasses all auth
✓ Fixed
// Zero Trust — never trust, always verify
// Even internal services must authenticate
// Service-to-service auth with shared secret:
class InternalApiClient {
public function request(string \$endpoint, array \$data): array {
\$token = hash_hmac('sha256', json_encode(\$data) . time(), \$_ENV['INTERNAL_SECRET']);
return \$this->http->post(\$endpoint, \$data, [
'X-Internal-Token' => \$token,
'X-Timestamp' => time(),
]);
}
}
// Per-request authorisation even inside the network:
class OrderService {
public function getOrder(int \$id, User \$caller): Order {
\$order = Order::findOrFail(\$id);
if (\$order->user_id !== \$caller->id && !\$caller->isAdmin()) abort(403);
return \$order; // verified even on 'trusted' internal call
}
}Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
32
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 1
No pings yesterday
Perplexity 7
Amazonbot 7
Google 3
Ahrefs 2
Unknown AI 2
ChatGPT 2
Also referenced
How they use it
crawler 20
crawler_json 3
Related categories
⚡
DEV INTEL
Tools & Severity
🔵 Info
⚙ Fix effort: High
⚡ Quick Fix
Verify every request explicitly — authenticate and authorise on each API call, never assume trust based on network location
📦 Applies To
PHP 5.0+
web
api
cli
🔗 Prerequisites
🔍 Detection Hints
Auth bypass based on internal IP or assumed trusted network; missing auth on internal API endpoints
Auto-detectable:
✗ No
semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium
False Positives: Medium
✗ Manual fix
Fix: High
Context: File
CWE-284
CWE-1188