Top 10 PHP best security practices)

Source: Internet
Author: User
Tags php error

This article is from Anson Cheung, a Hong Kong engineer at Elle, a famous fashion media (the Chinese version is the World Assembly Court. In this article, he cited 10 best security practices for PHP for system administrators to learn and reference. The original Article is "Top 10 PHP best security practices for SYS admins", which is translated as follows:

PHP is widely used in various web development scenarios. When the script configuration on the server is incorrect, various problems may occur. Today, most Web servers run in Linux environments (such as Ubuntu and Debian ). This article illustrates the top ten PHP best security practices that allow you to easily and securely configure PHP.

PHP security settings prompt:

DocumentRoot:/var/www/

Default web server: Apache

Default PHP configuration file:/etc/PHP. ini

Default PHP extensions config Directory:/etc/PHP. d/

Our sample PHP security config file:/etc/PHP. d/security. ini (you need to create this file using a text editor)

Operating Systems: ubuntu (the instructions showould work with any other Linux distributions such as RHEL/centos/Fedora or other UNIX like operating systems such as OpenBSD/FreeBSD/HP-UX ).

1. Reduce PHP built-in modules

To improve performance and security, we strongly recommend that you reduce the number of modules in PHP. Let's take a look at the module installed by the executed command below.

 
 
  1. # php –m 

You will get a similar result:

[PHP
Modules]

APC

Bcmath

Bz2

Calendar

Core

Ctype

Curl

Date

Dom

Ereg

EXIF

Fileinfo

Filter

FTP

GD

Gettext

GMP

Hash

Iconv

IMAP

JSON

Libxml

Mbstring

Memcache

MySQL

Mysqli

OpenSSL

Pcntl

PCRE

PDO

Pdo_mysql

Pdo_sqlite

Phar

Readline

Reflection

Session

Shmop

Simplexml

Sockets

SPL

Sqlite3

Standard

Suhosin

Tokenizer

Wddx

XML

Xmlreader

XMLRPC

Xmlwriter

XSL

Zip

Zlib

[Zend modules]

Suhosin

Delete A module and execute this command. For example, delete the sqlite3 module.

 
 
  1. # rm /etc/php.d/sqlite3.ini  
  2.  

Or

 
 
  1. # mv /etc/php.d/sqlite3.ini /etc/php.d/sqlite3.disableRestrict 

2. Minimize PHP Information Leakage

By default, PHP generates a line between each response at the HTTP header (for example, X-powered-by: PHP/5.2.10 ). This creates a very valuable information for attackers in the system information.

HTTP example:

 
 
  1. HTTP/1.1 200 OK  
  2. X-Powered-By: PHP/5.2.10  
  3. Content-type: text/html; charset=UTF-8  
  4. Vary: Accept-Encoding, Cookie  
  5. X-Vary-Options: Accept-Encoding;list-contains=gzip,Cookie;string-contains=wikiToken;  
  6. string-contains=wikiLoggedOut;string-contains=wiki_session 
  7. Last-Modified: Thu, 03 Nov 2011 22:32:55 GMT  
  8. ... 

Therefore, we strongly recommend that you disable PHP information leakage. To disable PHP information, edit/etc/PHP. d/secutity. ini and set the following command:

 
 
  1. expose_php=Off 
  2.  

3. Minimize PHP Loading modules

By default, all modules loaded by RHEL can be found in the/etc/PHP. d/directory. To disable or enable a specific module, you only need to comment out the module name in the/etc/PHP. d/directory of the configuration file. To optimize PHP performance and security, we strongly recommend that you enable the extension feature when your application needs it. For example, when the GD extension is disabled, type the following command:

 
 
  1. # cd /etc/php.d/  
  2.  
  3. # mv gd.{ini,disable}  
  4.  
  5. # /etc/init.d/apache2 restart 

To expand the pgp gd module, type the following command:

 
 
  1. # mv gd.{disable,ini}  
  2.  
  3. # /sbin/service httpd restart 

4. Record PHP error information

To improve the security of systems and web applications, PHP error messages cannot be exposed. To do this, edit the/etc/PHP. d/security. ini file and set the following command:

 
 
  1. display_errors=Off 

To facilitate bug fixing, all PHP errors should be recorded in the log.

 
 
  1. log_errors=On 
  2.  
  3. error_log=/var/log/httpd/php_scripts_error.log  
  4.  

5. Disable Remote Code Execution

If code is remotely executed, PHP code can be used to remotely retrieve data functions, such as ftp or web-based building functions through PHP. For example, file_get_contents ().

Many programmers use these functions to obtain data remotely through FTP or HTTP. However, this method may cause a large vulnerability in PHP-based applications. Because most programmers do not properly filter the data provided by users, they inject vulnerabilities when opening security vulnerabilities and creating code. To solve this problem, disable _ url_fopen in/etc/PHP. d/security. ini and set the following command:

 
 
  1. allow_url_fopen=Off 

In addition, we recommend that you disable _ url_include to improve system security.

 
 
  1. allow_url_include=Off 

6. Disable dangerous functions in PHP

PHP has many dangerous built-in functions. If improperly used, it may cause your system to crash. You can create a PHP built-in function list and disable it by editing/etc/PHP. d/security. ini.

 
 
  1. disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source 

7. Resource Control

To improve system stability, we strongly recommend that you set the maximum amount of memory that each script may consume to parse request data. Correct configuration of these parameters can prevent any PHP script from consuming too much resources or memory, thus avoiding system insecurity or reducing the security factor.

 
 
  1. # set in seconds  
  2.  
  3. max_execution_time = 30 
  4.  
  5. max_input_time = 30 
  6.  
  7. memory_limit = 40M 
  8.  

8. Restrict PHP access to the file system

The directory specified by the open_basedir command allows PHP to access features such as fopen. If any script attempts to access a path file that exceeds the open_basdir definition, PHP will refuse to open the file. It is worth noting that you cannot use a symbolic link as a work und.

 
 
  1. ; Limits the PHP process from accessing files outside  
  2. ; of specifically designated directories such as /var/www/html/  
  3. open_basedir="/var/www/html/" 
  4. ; ------------------------------------  
  5. ; Multiple dirs example  
  6. ; open_basedir="/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/theos.in/html/" 
  7. ; ------------------------------------ 

9. Restrict File/directory access

Make appropriate security settings: ensure that Apache runs as a non-root user, such as WWW-data or www. Files and directories under/var/www/are also non-root users. To change the owner, run the following command:

 
 
  1. # chown -R apache:apache /var/www/ 

10. compile configuration files to protect Apache, PHP, and MySQL

Use the charrt command to compile and protect the configuration file

 
 
  1. # chattr +i /etc/php.ini  
  2.  
  3. # chattr +i /etc/php.d/*  
  4.  
  5. # chattr +i /etc/my.ini  
  6.  
  7. # chattr +i /etc/httpd/conf/httpd.conf  
  8.  
  9. # chattr +i /etc/ 

You can use the charrt command to compile a directory that protects PHP files or files from/var/www/html:

 
 
  1. # chattr +i /var/www/html/file1.php  
  2.  
  3. # chattr +i /var/www/html/ 

(Note: This article is compiled by Xia mengzhu. For more information, see the source .)

From: ansoncheung. TK

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.