Secure existing PHP installation



Secure PHP

It is impossible to achieve a high level of security for PHP applications in a production environment. However, with some security tips, you can avoid common mistakes and protect yourself from the most frequent attacks.

When using PHP in a production environment, you should have the following settings in php.ini:

safe_mode = Off
register_globals = Off
expose_php = Off

allow_url_fopen = Off
allow_url_include = Off

log_errors = On
display_errors = Off
error_log = /var/log/phperror.log

memory_limit = 32M
post_max_size = 12M
upload_max_filesize = 8M
max_execution_time = 120
max_input_time = 60

enable_dl = Off
disable_functions="popen,exec,system,passthru,proc_open,shell_exec,show_source,phpinfo,eval"

session.use_only_cookies = 1

All PHP errors will be stored in file /var/log/phperror.log. The following lines creates it and set the permissions:

touch /var/log/phperror.log
chmod 666 /var/log/phperror.log

Below is a description of directives used to secure PHP:

safe_mode
It is primarily intended to provide file access limits to prevent users from accessing files that do no belong to them. This setting will be depreciated and should be avoided.

register_globals
Disables automatic variable creation. This means that all PHP script must use the $_REQUEST, $_GET, or $_POST arrays to retrieve user-provided data. This directive is responsible for many security issues in web applications because it allowed attackers to freely manipulate global variables.

expose_php
Hide PHP Version in Apache from remote users requests. Obviously there is no reason to let end users know about the server's PHP version.

allow_url_fopen
This directive allows to reference remote resources as if they are local files. It is recommended to leave it disabled unless your application requires it.

allow_url_include
This directive allows to include/require remote resources as if they are local files. As above directive, it is recommended to leave it disabled.

log_errors
When enabled, log_errors instructs PHP to log all errors to the file indicated by the error_log directive.

display_errors
PHP error messages display should be disabled on production servers to avoid information leaks about your system environment from badly written scripts.

error_log
All PHP errors will be stored in file /var/log/phperror.log. The two above lines creates that file

memory_limit
To prevent poorly written scripts from consuming all of the available memory, this directive can be used to indicate a maximum amount of memory consumed by a script.

post_max_size
Controls the size of HTTP form submissions. You may tweak the values to suit your needs.

upload_max_filesize
Maximum allowed size for uploaded files

max_execution_time
Maximum execution time of each script. You may tweak the values to suit your need.

max_input_time
Maximum amount of time each script may spend parsing request data.

enable_dl
This directive is used to enable or disable the dl() function that allows runtime loading of PHP extensions. It makes possible to bypass some restrictions, so it is recommended to be disabled unless your application requires it.

disable_functions
Directive allows to disable several security-sensitive functions. Previously, this necessitated hand-editing the C code from which PHP was made. For functions reference you can use this list

session.use_only_cookies
Reduce the risk of session fixation by only allowing session IDs to be passed as cookies. In other words enabling this setting prevents attacks involved passing session ids in URLs.