Improve PHP security: 8 PHP default configurations that must be modified_javascript skills

Obviously, PHP Mysql Apache is a very popular web technology. This combination is powerful, scalable, and free. However, PHP's default settings are not so suitable for already online websites. Let's strengthen PHP's security policy by modifying the default configuration file!

0x01: Disable remote url file processing function

The file processing function like fopen accepts the rul parameter of the file (for example: fopen('http://www.yoursite.com','r')).). This function can easily access remote resources. However, this is a very important security threat. It is a good choice to disable this feature to limit the file function. Make the following changes in the php.ini file:

Copy code The code is as follows:

allow_url_fopen = Off

0x02: Disable registration of global variables

In versions before 4.2.0, PHP uses global variables as input. This function is called register_globals. It causes a lot of security problems in web applications because it allows attackers to easily manipulate global variables in some situations. , fortunately this feature is disabled by default in 4.2.0. It is very dangerous and must be disabled under any circumstances. If some scripts require this functionality, then the script has a potential security threat. Modify pnp.ini to disable this feature:

Copy code The code is as follows:

register_globals = Off

0x03: Limit PHP read and write operations

In many web development processes, php scripts need to read and write to the local file system, such as /var/www/htdocs/files. In order to enhance security, you can modify the read and write permissions of local files:

Copy code The code is as follows:

open_basedir = /var/www/htdocs/files

0x04: Posing Limit

Limiting PHP’s execution time, memory usage, post and upload data is the best strategy. You can configure it as follows:

Copy code The code is as follows:

max_execution_time = 30 ; Max script execution time
max_input_time = 60 ; Max time spent parsing input
memory_limit = 16M ; Max memory used by one script
upload_max_filesize = 2M ; Max upload file size
post_max_size = 8M ; Max post size

0x05: Disable error messages and enable logging

In the default setting, PHP will output an error message to the browser. During the development process of the application, this default setting is the most reasonable configuration. However, it can also leak some security information to the user, such as the installation path and username. In already developed websites, it is best to disable error messages and output error messages to a log file.

Copy code The code is as follows:

display_errors = Off
log_errors = On

0x06: Hide PHP file

If there is no hidden PHP file, we can obtain the server PHP version through various methods, such as using: http://www.example.com/script.php?=PHPB8B5F2A0-3C92-11d3-A3A9- 4C7B08C10000

Obviously, we don’t want users to be able to directly obtain the PHP version of your website server. Fortunately, there is a switch in php.ini to disable this feature:

Copy code The code is as follows:

expose_php = Off

0x07: Safe mode configuration

By default, PHP can be configured in safe mode. In this mode, Apache prohibits access to files, environment variables and binary programs. In safe mode, the biggest problem is that only the owner of the file can access This is a PHP file. If there are many developers working together to develop this program, this setting is impractical. When you need to access a PHP file, you need to modify the owner of the file. Another problem is that other programs cannot access these. PHP file, the following configuration can modify the permissions of the file to the user group instead of a single user.

Copy code The code is as follows:

safe_mode = Off
safe_mode_gid = On

By enabling safe_mode_gid, this group using Apache will be able to access PHP files. Safe mode is also very effective at preventing binaries from executing, however, developers may want to be able to run some binaries under certain circumstances. In these special cases, the binary files can be placed in a directory, such as (/var/www/binaries), and the following settings can be made:

Copy code The code is as follows:

safe_mode_exec_dir = /var/www/binaries

Finally, through the following settings, you can access the server's environment variables, provide a prefix separated by "_", so that only environment variables with the specified prefix can be accessed:

Copy code The code is as follows:

safe_mode_allowed_env_vars = PHP_

0x08: Restrict public user access to files with specific suffixes

Due to security reasons, many files with specific suffix names cannot be accessed by public users, such as files with the .inc suffix, which contain some sensitive information, such as mysql connection information. If there is no appropriate configuration, then every Every user can access this configuration file. In order to enhance the security of the website, you need to configure the following in the ..htaccess file:

Copy code The code is as follows:

Order allow,deny
Deny from all

0x09: Summary

The default configuration of PHP is for developers. If the website is for a large number of users, it is recommended to reconfigure PHP.