Share ten essential tips for PHP security

                                                                                       

Recommended: "PHP Video Tutorial"

##Hello, PHP developer. In this article, I will try to provide you with some concrete steps you can take to improve the security of your PHP applications. I'm focusing on the PHP configuration itself, so we won't discuss SQL injection, HTTPS, or other non-PHP related issues.

I'll use the bash lines from my

docker-entrypoint.shscript to illustrate the example, but of course you can apply this to a non-docker environment.

Sessions

Use a longer Session ID length

Increasing the session ID length will make it harder for attackers to guess (Via brute force or more likely side channel attack). The length can be between 22 and 256 characters. The default value is 32.

sed -i -e "s/session.sid_length = 26/session.sid_length = 42/" /etc/php7/php.ini

(Don't ask me why it's 26 on Alpine Linux...)

You may also want to check session.sid_bits_per_character.

Use a custom session save path with restricted permissions

Only nginx/php needs access to the session, so let’s put them in a special session with restricted permissions folder.

sed -i -e "s:;session.save_path = \"/tmp\":session.save_path = \"/sessions\":" /etc/php7/php.ini
mkdir -p /sessions
chown nginx:nginx /sessions
chmod 700 /sessions

Of course, if you use Redis to handle sessions, you don’t need to care about this part;)

Secure Session Cookie

session .cookie_httponly to prevent javascript from accessing them. More information.

sed -i -e "s/session.cookie_httponly.*/session.cookie_httponly = true/" /etc/php7/php.ini
sed -i -e "s/;session.cookie_secure.*/session.cookie_secure = true/" /etc/php7/php.ini

session.cookie_secure Prevents your cookies from being transmitted over clear text HTTP.

session.cookie_samesite to prevent cross-site attacks. Only works with latest PHP/browsers.

Using Strict Mode

Due to the cookie specification, an attacker is able to place a non-removable session ID cookie by setting the cookie database locally or via JavaScript injection.

session.use_strict_mode Prevents the use of an attacker-initiated session ID.

Limited lifetime

The session should be closed with the browser. Therefore set

session.cookie_lifetime to 0.

Open_basedir

open_basedir is a php.ini configuration option that allows you to limit the files/directories that PHP can access .

sed -i -e "s#;open_basedir =#open_basedir = /elabftw/:/tmp/:/usr/bin/unzip#" /etc/php7/php.ini

Here I added unzip because it is used by Composer.

/elabftw is the location where all source php files are located. I don't remember why /tmp is here, but there must be a reason.

Disable Features

Be careful with this as you can easily screw up an app. But it's definitely worth investigating. Assuming an attacker somehow uploaded a webshell, if it was disabled correctly, the webshell wouldn't really work because

shell_exec would be disabled and so would the same. I've provided a list that works for elabftw, but it's not 100% complete.

sed -i -e "s/disable_functions =/disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abort, shell_exec, dl, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, phpinfo/" /etc/php7/php.ini

Disable url_fopen

allow_url_fopen This option is very dangerous. Disable it. More informationhere.

sed -i -e "s/allow_url_fopen = On/allow_url_fopen = Off/" /etc/php7/php.ini

Disable cgi.fix_pathinfo

You don’t want non-PHP files to execute as PHP files, right? Then disable this feature.

More information.

sed -i -e "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g" /etc/php7/php.ini

Hide PHP version

Finally, without thinking:

sed -i -e "s/expose_php = On/expose_php = Off/g" /etc/php7/php.ini

That’s it for now. I hope you find this article useful and improve your configuration ;)

If I missed something important, please let me know in the comments!

Original address: https://dev.to/elabftw/10-steps-for-securing-a-php-app-5fnp

Translation address: https://learnku.com /php/t/50851

The above is the detailed content of Share ten essential tips for PHP security. For more information, please follow other related articles on the PHP Chinese website!