Announcement Announcement Module
Collapse
No announcement yet.
Tips to secure PHP Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Tips to secure PHP

    Tips to secure PHP

    *Default PHP configuration file: /etc/php.ini
    *Default PHP extensions config directory: /etc/php.d/
    *Our sample php security config file: /etc/php.d/security.ini(need to create this file manually)

    1.Remove unnecessary PHP modules

    Use the command php -m to list the compiled-in php modules;

    #php -m

    Then remove using the following command;

    #rm /etc/php.d/modulename.ini or mv /etc/php.d/modulename.ini /etc/php.d/modulename.disable

    Here "modulename" should be replaced with actual name.

    2.Disable expose_php

    We can hide the php version and other details by setting this directive to off. If we don't do this, an attacker may exploit the security vulnerabilities of this specific PHP version.

    Edit /etc/php.d/secutity.ini

    #expose_php=Off

    3.Restrict file upload when not needed

    set file_uploads=Off in security.ini file

    we can specify the uploading file size upload_max_filesize = 5M

    4.Log php errors instead of displaying them

    set display_errors=Off

    enable the log;

    log_errors=On
    error_log=/var/log/httpd/php_scripts_error.log

    5.Turn off remote file execution

    allow_url_fopen = Off #disables processing of urls

    allow_url_include = Off #disable including of urls to files

    6.Resource Control

    Limit the maximum amount of time, and maximum amount of memory a script may consume.

    # set in seconds
    max_execution_time = 30
    max_input_time = 30
    memory_limit = 40M

    7. Limit POST size

    Limit the maximum size POST request that PHP will process. Edit /etc/php.d/security.ini and set the following directive:

    post_max_size=1K

    8.Limit the use of functions like exec, passthru, shell_exec, proc_open, curl_exec and popen

    disable_functions =exec,passthru,shell_exec,popen,curl_exec,

    9.Make sure we don't have any file that calls phpinfo() in server. It shouldn't be an easily guessed one like phpinfo.php. Don’t store it on the root of your web accessible directory. Don’t forget to delete it once you’re done.

    10.Always use up to date version.
Working...
X