Using HTTPS everywhere is the right thing to do, so no argument from me there!

PHP needs to run hosted inside a server like Apache or Nginx. Thus you'd set up HTTPS with Apache or Nginx. There exist scripts that will automatically renew letsencrypt certificates for those servers, and they're pretty easy to set up.

If someone wants to rate 10000 instead of the maximum of 100, I reject it or if they provide other invalid data.

I don't know what "rating" means for you, so I have no idea what your security model should be. Is it OK if someone says "the rating of this is 99" ? As much as they can?

21 minutes ago, hplus0603 said:

I don't know what "rating" means for you, so I have no idea what your security model should be. Is it OK if someone says "the rating of this is 99" ? As much as they can?

Oh, sorry, it probably makes more sense if you have the full context.

Users can rate downloadable levels, expressing how much they like/enjoy it, so it does not really matter how much they rate it as long as it is within the given range of minimum and maximum : ) If it is outside boundaries, the request will be rejected, which makes sense since input should be validated as far as possible.

I'm yet unsure whether sending files is an easy task and reliable (images, files, ...) over HTTPS?

36 minutes ago, hplus0603 said:

Using HTTPS everywhere is the right thing to do, so no argument from me there!

PHP needs to run hosted inside a server like Apache or Nginx. Thus you'd set up HTTPS with Apache or Nginx. There exist scripts that will automatically renew letsencrypt certificates for those servers, and they're pretty easy to set up.

Ah! My issue with PHP is that is not statically typed, so I might stick with another solution anyway : ) But thanks for this insight, one never knows when that will help me!

10 minutes ago, Angelic Ice said:

Ah! My issue with PHP is that is not statically typed, so I might stick with another solution anyway : ) But thanks for this insight, one never knows when that will help me!

I think you are confused here. HTTPS has nothing to do with PHP or its nuances.

All the features you are asking can be simply done using standard web HTTP REST API interface. Similar to forums, Google Maps API, Twitter, Facebook, etc. This is language agnostic, and virtually all languages should have some libraries to do this. PHP, Java, Go, Python, Ruby, whatever that fancies you. HTTP supports file uploads.

HTTPS is a secure protocol on top of HTTP. It's always a good idea to use it. The hosting company can do it for you. If you are into system administrator and stuff, you can do it your own as long as you have the certificate. Again, this has nothing to do with the language.

Some languages are single-threaded like PHP, Ruby, and Python, and actually will have some problems handling multiple HTTP/S requests at the same time, and therefore needs additional libraries and tooling to do the threading, forking, and buffering so some users aren't getting a 500. This is where Apache and Nginx comes in to buffer those requests before getting into your code.

50 minutes ago, Angelic Ice said:

My issue with PHP is that is not statically typed, so I might stick with another solution anyway : )

If you are for some reason fond of PHP, but prefer static typing, there is always Hack.

It's basically a Facebook-developed PHP variant with type declarations (plus some other goodies).

I hear from people at Facebook that Hack may be put into maintenance mode, because they're developing a new language from scratch, with "some similarities" to PHP/Hack, but with all of the fundamental flaws fixed.
Personally, I just think they have envy of the status that Go from Google currently enjoys :-)

If you want static type checking, you should learn Rust or Haskell. Haskell has been around for a long time and has a very high quality runtime, and the Warp web interface library is OK. (For web server code, there's Yesod, which I'm not as much a fan of.) Rust is younger, but has a faster pace of development right now, and is also not garbage collected, so it could be a legitimate replacement for C sometime in the future.

One of the biggest advantages of offloading HTTPS to a gateway is that you are free to build micro services via domain specific languages.

For example:

I built a leaderboard using PHP because it's dead simple to handle databases when you don't care about performance.

I used Java to do high performance real time multiplayer stuff.

I can then use the same Certificate for both services by putting it in a separate gateway. They don't need to run on the same application server framework.

At work this becomes even more important, because sometimes we have microservices written on the same server in five different languages. HTTPS really has nothing to do with your application layer, it's more of a protocol, and as such you can (sort of) view it as a separate step in your network stack.

Hello Angelic Ice!

Before I published Galactic Crew as Early Access title on Steam last year, I had a Closed Alpha with around a hundred players. In order to analyze player behaviour, I gathered metrics like play-time, session length, computer hardware, etc. I needed a way to update all clients automatically and to collect the gathered data (All players agreed to that before downloading the Closed Alpha version!).

For this purpose, I rented a vServer for around 9 € per month and wrote my own server in C# that did exactly what I needed. Then, I built a custom TCP/IP layer in the Closed Alpha version and I was ready to go. First I was thinking about SQL data bases and other stuff, but I found it more suitable to create my own small console server.