Home >Backend Development >PHP Tutorial >Share ten essential tips for PHP security
Recommended: "PHP Video Tutorial"
##Hello, PHP developer. In this article, I will try to provide you with some concrete steps you can take to improve the security of your PHP applications. I'm focusing on the PHP configuration itself, so we won't discuss SQL injection, HTTPS, or other non-PHP related issues. I'll use the bash lines from mydocker-entrypoint.shscript to illustrate the example, but of course you can apply this to a non-docker environment.
Sessions
Use a longer Session ID length
Increasing the session ID length will make it harder for attackers to guess (Via brute force or more likely side channel attack). The length can be between 22 and 256 characters. The default value is 32.sed -i -e "s/session.sid_length = 26/session.sid_length = 42/" /etc/php7/php.ini(Don't ask me why it's 26 on Alpine Linux...)You may also want to check session.sid_bits_per_character.
Use a custom session save path with restricted permissions
Only nginx/php needs access to the session, so let’s put them in a special session with restricted permissions folder.sed -i -e "s:;session.save_path = \"/tmp\":session.save_path = \"/sessions\":" /etc/php7/php.ini mkdir -p /sessions chown nginx:nginx /sessions chmod 700 /sessionsOf course, if you use Redis to handle sessions, you don’t need to care about this part;)
Secure Session Cookie
session .cookie_httponly to prevent javascript from accessing them. More information.
sed -i -e "s/session.cookie_httponly.*/session.cookie_httponly = true/" /etc/php7/php.ini sed -i -e "s/;session.cookie_secure.*/session.cookie_secure = true/" /etc/php7/php.ini
session.cookie_secure Prevents your cookies from being transmitted over clear text HTTP.
session.cookie_samesite to prevent cross-site attacks. Only works with latest PHP/browsers.
Using Strict Mode
Due to the cookie specification, an attacker is able to place a non-removable session ID cookie by setting the cookie database locally or via JavaScript injection.session.use_strict_mode Prevents the use of an attacker-initiated session ID.
Limited lifetime
The session should be closed with the browser. Therefore setsession.cookie_lifetime to 0.
Open_basedir
open_basedir is a php.ini configuration option that allows you to limit the files/directories that PHP can access .
sed -i -e "s#;open_basedir =#open_basedir = /elabftw/:/tmp/:/usr/bin/unzip#" /etc/php7/php.iniHere I added unzip because it is used by Composer.
/elabftw is the location where all source php files are located. I don't remember why
/tmp is here, but there must be a reason.
Disable Features
Be careful with this as you can easily screw up an app. But it's definitely worth investigating. Assuming an attacker somehow uploaded a webshell, if it was disabled correctly, the webshell wouldn't really work becauseshell_exec would be disabled and so would the same. I've provided a list that works for elabftw, but it's not 100% complete.
sed -i -e "s/disable_functions =/disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abort, shell_exec, dl, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, phpinfo/" /etc/php7/php.ini
Disable url_fopen
allow_url_fopen This option is very dangerous. Disable it. More informationhere.
sed -i -e "s/allow_url_fopen = On/allow_url_fopen = Off/" /etc/php7/php.ini
Disable cgi.fix_pathinfo
You don’t want non-PHP files to execute as PHP files, right? Then disable this feature.More information.
sed -i -e "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g" /etc/php7/php.ini
Hide PHP version
Finally, without thinking:sed -i -e "s/expose_php = On/expose_php = Off/g" /etc/php7/php.iniThat’s it for now. I hope you find this article useful and improve your configuration ;) If I missed something important, please let me know in the comments!
Original address: https://dev.to/elabftw/10-steps-for-securing-a-php-app-5fnp
Translation address: https://learnku.com /php/t/50851
The above is the detailed content of Share ten essential tips for PHP security. For more information, please follow other related articles on the PHP Chinese website!