Home > Article > Backend Development > PHP security configuration cheat sheet maintained by OWASP
Introduction
The purpose of this page is to help those configuring PHP and the web servers that run it to ensure its security.
Below you will find the correct configuration information for the php.ini file.
php.ini
Some of the following settings need to be adapted to your system, especially session.save_path, session.cookie_path (for example: /var/www/mysite) , and session.cookie_domain (for example: ExampleSite.com).
You should also be running PHP 7.2 or higher. If you are running PHP 7.0 and PHP 7.1, you will use slightly different values in a few places below (see inline comments).
Finally, check out the PHP documentation for a reference on each value in the php.ini configuration file.
You can find a copy of the following configuration in a ready-made php.ini file here .
PHP Error Handling
expose_php = Off error_reporting = E_ALL display_errors = Off display_startup_errors = Off log_errors = On error_log = /valid_path/PHP-logs/php_error.log ignore_repeated_errors = Off
Please note: You need to set display_errors to Off in the production environment, and it is best to develop a good habit of checking these logs frequently.
PHP Common Settings
doc_root = /path/DocumentRoot/PHP-scripts/ open_basedir = /path/DocumentRoot/PHP-scripts/ include_path = /path/PHP-pear/ extension_dir = /path/PHP-extensions/ mime_magic.magicfile = /path/PHP-magic.mime allow_url_fopen = Off allow_url_include = Off variables_order = "GPCS" allow_webdav_methods = Off session.gc_maxlifetime = 600
allow_url_* It is easy to have LFI and RFI complete vulnerabilities.
PHP Upload File Processing
file_uploads = On upload_tmp_dir = /path/PHP-uploads/ upload_max_filesize = 2M max_file_uploads = 2
If your application does not use the file upload function, or the only way for users to input uploads is through a form that does not contain document attachments To submit, file_uploads should be set to Off.
PHP executable processing
enable_dl = Off disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo # 请查看:http://ir.php.net/features.safe-mode disable_classes =
The above are dangerous methods and classes in PHP. You should disable methods and classes that are not used.
PHP session processing
There are some values that need to be paid attention to in the Session settings. It is a good exercise to change session.name to a new one.
session.save_path = /path/PHP-session/ session.name = myPHPSESSID session.auto_start = Off session.use_trans_sid = 0 session.cookie_domain = full.qualified.domain.name #session.cookie_path = /application/path/ session.use_strict_mode = 1 session.use_cookies = 1 session.use_only_cookies = 1 session.cookie_lifetime = 14400 # 4小时 session.cookie_secure = 1 session.cookie_httponly = 1 session.cookie_samesite = Strict session.cache_expire = 30 session.sid_length = 256 session.sid_bits_per_character = 6 # PHP 7.2+ session.hash_function = 1 # PHP 7.0-7.1 session.hash_bits_per_character = 6 # PHP 7.0-7.1
More checks for security risks
session.referer_check = /application/path memory_limit = 50M post_max_size = 20M max_execution_time = 60 report_memleaks = On track_errors = Off html_errors = Off
English original address:
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets /PHP_Configuration_Cheat_Sheet.md
The above is the detailed content of PHP security configuration cheat sheet maintained by OWASP. For more information, please follow other related articles on the PHP Chinese website!