Quick reference table of PHP security configuration maintained by OWASP

Introduce

The purpose of this page is to help those configurations PHP And running it web The server's people ensure its security .

Below you will find information about php.ini Correct configuration information of the file .

php.ini

Some of the following settings need to be adapted to your system , especially session.save_path, session.cookie_path （ for example ： /var/www/mysite）, and session.cookie_domain （ for example ：ExampleSite.com）.

You should also run PHP 7.2 Or higher . If you are running a version of PHP 7.0 and PHP 7.1 , You will use slightly different values in the following places （ Look at the inline comments ）. Last , see PHP file To get information about php.ini Reference to each value in the configuration file .

You can do it in a ready-made php.ini A copy of the following configuration was found in the file here .

PHP Error handling

expose_php              = Off
error_reporting         = E_ALL
display_errors          = Off
display_startup_errors  = Off
log_errors              = On
error_log               = /valid_path/PHP-logs/php_error.log
ignore_repeated_errors  = Off

Please note that ： You need to be in a production environment display_errors Set to Off, At the same time, it's best to get into the good habit of checking these logs often .

PHP General settings

doc_root                = /path/DocumentRoot/PHP-scripts/
open_basedir            = /path/DocumentRoot/PHP-scripts/
include_path            = /path/PHP-pear/
extension_dir           = /path/PHP-extensions/
mime_magic.magicfile    = /path/PHP-magic.mime
allow_url_fopen         = Off
allow_url_include       = Off
variables_order         = "GPCS"
allow_webdav_methods    = Off
session.gc_maxlifetime  = 600

allow_url_* It's easy to happen LFI also RFI Complete vulnerability .

PHP Upload file processing

file_uploads            = On
upload_tmp_dir          = /path/PHP-uploads/
upload_max_filesize     = 2M
max_file_uploads        = 2

If your app doesn't use file upload , In other words, the only way for users to input and upload is to submit through the form without document attachments , file_uploads Should be set to Off.

PHP Executable processing

enable_dl               = Off
disable_functions       = system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
#  Please check out ：http://ir.php.net/features.safe-mode
disable_classes         = 

Above is PHP There are dangerous methods and classes in .. You should disable methods and classes that will not be used .

PHP session Handle

Session There are some important values in the settings , take session.name Changing to a new one is a good exercise .

session.save_path                = /path/PHP-session/
 session.name                     = myPHPSESSID
 session.auto_start               = Off
 session.use_trans_sid            = 0
 session.cookie_domain            = full.qualified.domain.name
 #session.cookie_path             = /application/path/
 session.use_strict_mode          = 1
 session.use_cookies              = 1
 session.use_only_cookies         = 1
 session.cookie_lifetime          = 14400 # 4 Hours  
 session.cookie_secure            = 1
 session.cookie_httponly          = 1
 session.cookie_samesite          = Strict
 session.cache_expire             = 30 
 session.sid_length               = 256
 session.sid_bits_per_character   = 6 # PHP 7.2+
 session.hash_function            = 1 # PHP 7.0-7.1
 session.hash_bits_per_character  = 6 # PHP 7.0-7.1

Check for more potential safety hazards

session.referer_check   = /application/path
memory_limit            = 50M
post_max_size           = 20M
max_execution_time      = 60
report_memleaks         = On
track_errors            = Off
html_errors             = Off