Improve PHP security: Eight default PHP configurations that must be modified to improve php security

Improve PHP security: Eight default PHP configurations that must be modified to improve php security

Obviously, PHP + Mysql + Apache is a popular web technology. This combination is powerful, scalable, and free of charge. However, the default PHP settings are not suitable for websites that have already been launched. Modify the default configuration file to enhance the PHP security policy!

0x01: Disable remote url File Processing

A file handler like fopen accepts the rul parameters of the file (for example, fopen ('HTTP: // www.yoursite.com ', 'R ')).), this function can easily access remote resources. However, this is a very important security threat. Disabling this function to restrict file functions is a good choice in php. make the following changes in the INI file:
Copy codeThe Code is as follows:
Allow_url_fopen = Off

0x02: Disable registration of global variables

In php versions earlier than version 4.2.0, global variables are used as input. This function is called register_globals, which causes many security problems in web applications, because it allows attackers to easily manipulate global variables in some situations, we are lucky that this function is disabled by default in 4.2.0, which is very dangerous, disable this function under any circumstances. If some scripts require this function, this script has potential security threats. Modify pnp. ini to disable this function:

Copy codeThe Code is as follows:
Register_globals = Off

0x03: Restrict php read/write operations

In many web development processes, php scripts need to read and write to the local file system, such as/var/www/htdocs/files. To enhance security, you can modify the read and write permissions of local files:
Copy codeThe Code is as follows:
Open_basedir =/var/www/htdocs/files

0x04: Posing Limit

It is the best policy to restrict PHP Execution time, memory usage, post and upload data. You can configure the following:
Copy codeThe Code is as follows:
Max_execution_time = 30; Max script execution time
Max_input_time = 60; Max time spent parsing input
Memory_limit = 16 M; Max memory used by one script
Upload_max_filesize = 2 M; Max upload file size
Post_max_size = 8 M; Max post size

0x05: Disable Error messages and enable logging

In the default settings, php will output an error message to the browser. During application development, this default setting is the most reasonable configuration. However, it can also disclose some security information to users, such as the installation path and user name. In a developed website, it is best to disable error messages and output the error messages to the log file.

Copy codeThe Code is as follows:
Display_errors = Off
Log_errors = On

0x06: Hide the PHP File

If the PHP file is not hidden, we can get the PHP version of the server in multiple ways, such as using: http://www.example.com/script.php? = PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

Obviously, we do not want users to directly obtain the PHP version of your website server. Fortunately, there is a switch in php. ini to disable this function:
Copy codeThe Code is as follows:
Expose_php = Off

0x07: security mode configuration

By default, php can be configured as safe mode. In this mode, Apache prohibits access to files, environment variables, and binary programs. In safe mode, the biggest problem is that only the file owner can access this PHP file. If many developers develop this program together, this setting is impractical, when you need to access a PHP file, you need to modify the file owner. Another problem is that other programs cannot access these PHP files, the following configuration allows you to modify the permissions of a file to a user group rather than a single user.
Copy codeThe Code is as follows:
Safe_mode = Off
Safe_mode_gid = On

By enabling safe_mode_gid, you can use this group of Apache to access the PHP file. The security mode is also very effective for blocking the execution of binary files. However, developers want to run some binary files in certain situations. In these special circumstances, binary files can be put into a directory, for example (/var/www/binaries). You can make the following settings:
Copy codeThe Code is as follows:
Safe_mode_exec_dir =/var/www/binaries

Finally, the following settings allow you to access the server's environment variables and provide a prefix separated by "_". In this way, you can only access the environment variables with the specified prefix:

Copy codeThe Code is as follows:
Safe_mode_allowed_env_vars = PHP _

0x08: restrict access by public users to files with specific extensions

For security reasons, many files with a specific suffix cannot be accessed by public users, such. the file Suffix of inc contains some sensitive information, such as mysql connection information. If no proper configuration is available, every user can access this configuration file to enhance website security, you need .. configure the htaccess file as follows:
Copy codeThe Code is as follows:
<Filesmatch>
Order allow, deny
Deny from all
</Filesmatch>

0x09: Summary

The default PHP configuration is intended for developers. If the website is intended for a large number of users, we recommend that you reconfigure PHP.