Top 10 PHP best security practices
PHP Security settings prompt:
?
123456789 |
DocumentRoot:/var/www/Default Web server: Apache Default PHP configuration file:/etc/php. ini Default PHP extensions config directory:/etc/php. d/Our sample php security config file:/etc/php. d/security. ini (you need to create this file using a text editor) Operating systems: Ubuntu (the instructions shound work with any other Linux distributions suchasRHEL/CentOS/Fedoraorother Unix like ope Rating systems suchasOpenBSD/FreeBSD/HP-UX ). |
1. reduce PHP built-in modules
To improve performance and security, we strongly recommend that you reduce the number of modules in PHP. Let's take a look at the module installed by the executed command below.
# Php-m you will get a similar result:
[PHP Modules] apc bcmath bz2 calendar Core ctype curl date dom ereg exif fileinfo filter ftp gd gettext gmp hash iconv imap json libxml mbstring memcache mysql mysqli openssl pcntl pcre PDO limit Phar readline Reflection session shmop SimpleXML sockets SPL sqlite3 standard suhosin tokenizer wddx xml xmlreader xmlrpc xmlwriter xsl zip zlib [Zend Modules] Suhosin delete a module, and execute this command. For example, delete the sqlite3 module.
?
1 |
# Rm/etc/php. d/sqlite3.ini |
Or
?
1 |
# Mv/etc/php. d/sqlite3.ini/etc/php. d/sqlite3.disableRestrict |
2. minimize PHP information leakage
By default, PHP generates a line between each response at the HTTP header (for example, X-Powered-By: PHP/5.2.10 ). This creates a very valuable information for attackers in the system information.
HTTP example:
HTTP/1.1 200 OK X-Powered-By: PHP/5.2.10 Content-type: text/html; charset = UTF-8 Vary: Accept-Encoding, Cookie X-Vary-Options: accept-Encoding; list-contains = gzip, Cookie; string-contains = wikiToken; string-contains = wikiLoggedOut; string-contains = wiki_session Last-Modified: Thu, 03 Nov 2011 22:32:55 GMT ......
Therefore, we strongly recommend that you disable PHP information leakage. to disable php information, edit/etc/PHP. d/secutity. ini and set the following command:
?
3. minimize PHP loading modules
By default, all modules loaded by RHEL can be found in the/etc/php. d/directory. To disable or enable a specific module, you only need to comment out the module name in the/etc/php. d/directory of the configuration file. To optimize PHP performance and security, we strongly recommend that you enable the extension feature when your application needs it. For example, when the GD extension is disabled, type the following command:
?
123456789 |
# Cd/etc/php. d/# mv gd. {ini, disable} #/etc/init. d/apache2 restart in order to expand the pgp gd module, type the following command: # mv gd. {disable, ini} #/sbin/service httpd restart |
4. record PHP error information
To improve the security of systems and Web applications, PHP error messages cannot be exposed. To do this, edit the/etc/php. d/security. ini file and set the following command:
?
12345 |
Display_errors = Off all PHP error messages should be recorded in the log to facilitate Bug fixes. Log_errors = On error_log =/var/log/httpd/php_scripts_error.log |
5. disable remote code execution
If code is remotely executed, PHP code can be used to remotely retrieve data functions, such as FTP or Web-based building functions through PHP. For example, file_get_contents ().
Many programmers use these functions to obtain data remotely through FTP or HTTP. However, this method may cause a large vulnerability in PHP-based applications. Because most programmers do not properly filter the data provided by users, they inject vulnerabilities when opening security vulnerabilities and creating code. To solve this problem, disable _ url_fopen in/etc/php. d/security. ini and set the following command:
?
123 |
In addition to allow_url_fopen = Off, I also recommend disabling _ url_include to improve system security. Allow_url_include = Off |
6. disable dangerous functions in PHP
PHP has many dangerous built-in functions. if improperly used, it may cause your system to crash. You can create a PHP built-in function list and disable it by editing/etc/php. d/security. ini.
?
1 |
Disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source |
7. resource control
To improve system stability, we strongly recommend that you set the maximum amount of memory that each script may consume to parse request data. Correct configuration of these parameters can prevent any PHP script from consuming too much resources or memory, thus avoiding system insecurity or reducing the security factor.
?
1234567 |
# Set in seconds max_execution_time = 30 max_input_time = 30 memory_limit = 40 M |
8. restrict PHP access to the file system
The directory specified by the open_basedir command allows PHP to access features such as fopen. If any script attempts to access a Path File that exceeds the open_basdir definition, PHP will refuse to open the file. It is worth noting that you cannot use a symbolic link as a work und.
?
123 |
; Limits the PHP process from accessing files outside; of specifically designated directories suchas/var/www/html/open_basedir = "/var/www/html/"; Multiple dirs example; open_basedir = "/home/httpd/vhost/cyberciti. biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/theos.in/html /"; |
9. restrict file/directory access
Make appropriate security settings: ensure that Apache runs as a non-root user, such as www-data or www. files and directories are also non-root users under/var/www. To change the owner, run the following command:
?
1 |
# Chown-R apache: apache/var/www/10. Compile and protect the configuration files of Apache, PHP, and MySQL. |
Use the charrt command to compile and protect the configuration file
?
12345678910111213 |
# Chattr + I/etc/php. ini # chattr + I/etc/php. d/* # chattr + I/etc/my. ini # chattr + I/etc/httpd/conf/httpd. conf # chattr + I/etc/use the charrt command to compile a directory that protects php files or files from/var/www/html: # chattr + I/var/www/html/file1.php # chattr + I/var/www/html/ |