PHP is widely used in various web development. Problems can occur when server-side scripting is incorrectly configured. Today, most Web servers are run on a Linux environment (e.g., Ubuntu,debian, etc.). This example gives the top ten best security practices in PHP, allowing you to easily and securely configure PHP.
PHP Security Settings prompt:
DocumentRoot:/var/www/default Web Server:apache
Default PHP configuration file:/etc/php.ini
Default PHP Extensions config directory:/etc/php.d/
Our sample PHP security config file:/etc/php.d/security.ini (your need to create this file using a text editor)
Operating Systems:ubuntu (the instructions should work with no other Linux distributions such as Rhel/centos/fedora or other Unix-like operating systems such as Openbsd/freebsd/hp-ux).
1. Reduce PHP built-in modules
To enhance performance and security, it is strongly recommended that you reduce the modules in PHP. Take a look at the following module, which is installed by the command.
# php–m You're going to get a similar result:
[PHP Modules] APC bcmath bz2 Calendar Core CType Curl date Dom Ereg EXIF fileinfo filter FTP GD gettext GMP hash iconv ima P JSON libxml mbstring memcache mysql mysqli OpenSSL pcntl pcre PDO pdo_mysql pdo_sqlite Phar readline Reflection session Shmop SimpleXML sockets SPL sqlite3 standard suhosin tokenizer wddx xml XmlReader xmlrpc XmlWriter xsl zip zlib [Zend modu Les] suhosin deletes a module and executes this command. For example: Delete module sqlite3
# Rm/etc/php.d/sqlite3.ini
Or
# mv/etc/php.d/sqlite3.ini/etc/php.d/sqlite3.disablerestrict 2. Minimizing the disclosure of PHP information
The default PHP generates a line in each response, such as x-powered-by:php/5.2.10, at the HTTP header. And this creates a valuable message for the attacker in the system information.
HTTP Example:
http/1.1 OK x-powered-by:php/5.2.10 content-type:text/html; Charset=utf-8 vary:accept-encoding, Cookie X-vary-options:accept-encoding;list-contains=gzip,cookie; String-contains=wikitoken;string-contains=wikiloggedout;string-contains=wiki_session Last-modified:thu, Nov 22:32:55 GMT ...
Therefore, we strongly recommend that you prohibit PHP information disclosure, want to ban it, we want to edit/etc/php.d/secutity.ini, and set the following instructions:
Expose_php=off
3. Make PHP Load module minimized
By default, all modules loaded by Rhel can be found in the/etc/php.d/directory. To disable or enable a specific module, simply annotate the module name in the configuration file/etc/php.d/directory. In order to optimize PHP performance and security, we strongly recommend that you enable extended functionality when your application requires it. For example: When you disable the GD extension, type the following command:
# cd/etc/php.d/
# MV Gd.{ini,disable}
#/etc/init.d/apache2 Restart to extend the PGP GD module, then type the following command:
# MV Gd.{disable,ini}
#/sbin/service httpd Restart 4. Log PHP error messages
To improve the security of your system and Web applications, PHP error messages cannot be exposed. To do this, you need to edit the/etc/php.d/security.ini file and set the following directives:
Display_errors=off to facilitate bug fixes for developers, all PHP error messages should be recorded in the log.
Log_errors=on
Error_log=/var/log/httpd/php_scripts_error.log
5. Disable remote code Execution
If you execute code remotely, allow PHP code to retrieve data from remote functions, such as FTP or the Web through PHP to perform the build function. For example: file_get_contents ().
Many programmers use these features to get data from remote FTP or HTTP protocols. However, this method creates a large vulnerability in a PHP-based application. Because most programmers do not have the proper filtering when delivering data, opening a security vulnerability and creating code inject a vulnerability. To resolve this issue, you need to disable _url_fopen In/etc/php.d/security.ini and set the following command:
Allow_url_fopen=off Besides this, I also recommend disabling _url_include to improve the security of the system.
Allow_url_include=off 6. Disable dangerous functions in PHP
PHP has a lot of dangerous built-in features that, if used improperly, can crash your system. You can create a PHP built-in feature list to disable it by editing/etc/php.d/security.ini.
Disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file, Show_source 7. Resource control
In order to improve the stability of the system, it is highly recommended that you set the time spent on each script resolution request data and the maximum amount of memory that the script might consume. Proper configuration of these parameters prevents any script in PHP from consuming too much resources or memory, thereby avoiding system insecurity or reducing the safety factor.
# Set in seconds
Max_execution_time = 30
Max_input_time = 30
Memory_limit = 40M
8. Restricting PHP access to file systems
The OPEN_BASEDIR directive specifies a directory that allows PHP access to use features such as fopen (). If any script attempts to access a path file that exceeds the OPEN_BASDIR definition, PHP will refuse to open it. It's worth noting that you can't use a symbolic link as a workaround.
; Limits the PHP process from accessing files outside; of specifically designated directories such as/var/www/html/open_basedir= "/var/www/html/"; ——; Multiple dirs example; Open_basedir= "/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/ Theos.in/html/"; --9. restricting File/directory Access
Make the appropriate security settings: Make sure that Apache runs as a non-root user, such as www-data or www. For files and directories, they are also non-root based on/var/www/. To change the owner, execute the following command:
# chown-r APACHE:APACHE/VAR/WWW/10. Compile the configuration files that protect apache,php and MySQL
To compile a protection profile using the CHARRT command
# chattr +i/etc/php.ini
# chattr +i/etc/php.d/*
# chattr +i/etc/my.ini
# chattr +i/etc/httpd/conf/httpd.conf
# chattr +i/etc/Use the CHARRT command to compile a directory that protects a PHP file or a/var/www/html in a file:
# chattr +i/var/www/html/file1.php
# chattr +i/var/www/html/