Announcement Announcement Module
No announcement yet.
PHP Security Settings. Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • PHP Security Settings.

    PHP based apps can face the different types of attacks

    1. XSS – Cross-site scripting
    2. SQL injection
    3. File uploads
    4. Including local and remote files
    5. eval() – Evaluate a string as PHP code.
    6. Sea-surf Attack (Cross-site request forgery – CSRF)

    Find Built-in PHP Modules

    # php -m

    Restrict PHP Information Leakage

    To restrict PHP information leakage disable expose_php.


    When enabled, expose_php reports to the world that PHP is installed on the server, which includes the PHP version within the HTTP header (e.g., X-Powered-By: PHP/5.3.3).When expose_php enabled you can see php version using the following command.

    $ curl -I

    Also please setup the ServerTokens and ServerSignature directives in httpd.conf to hide Apache version and other information.

    Minimize Loadable PHP Modules (Dynamic Extensions)

    PHP supports “Dynamic Extensions”. By default, it loads all the extension modules found in /etc/php.d/ directory. To enable or disable a particular module, just find the configuration file in /etc/php.d/ directory and comment the module name.

    Log All PHP Errors

    Do not expose PHP error messages to all site visitors. Edit php configuration file and set the following directive:


    Make sure you log all php errors to a log file:


    Disallow Uploading Files

    Edit PHP conf and set the following directive to disable file uploads for security reasons:


    If users application need to upload files, turn this feature on by setting upload_max_filesize limits the maximum size of files that PHP will accept through uploads:

    # user can only upload upto 1MB via php

    Turn Off Remote Code Execution

    If enabled, allow_url_fopen allows PHP’s file functions — such as file_get_contents() and the include and require statements — can retrieve data from remote locations, like an FTP or web site. Edit php configuration file and set the following directive:


    Also recommended to disable allow_url_include for security reasons:

    Enable SQL Safe Mode

    Edit PHP conf and set the following directive:
    If turned On, mysql_connect() and mysql_pconnect() ignore any arguments passed to them.Please note that you may have to make some changes to your code. Third party and open source application such as WordPress, and others may not work at all when sql.safe_mode enabled. I also recommend that you turn off magic_quotes_gpc.

    Control POST Size

    The HTTP POST request method is used when the client (browser or user) needs to send data to the Apache web server as part of the request, such as when uploading a file or submitting a completed form. Attackers may attempt to send oversized POST requests to eat your system resources. You can limit the maximum size POST request that PHP will process. Edit PHP configuration file and set the following directive:
    ; Set a realistic value here

    Resource Control (DoS Control)

    We can set maximum execution time of each php script, in seconds. Another recommend option is to set maximum amount of time each script may spend parsing request data, and maximum amount of memory a script may consume.

    # set in seconds
    max_execution_time = 30
    max_input_time = 30
    memory_limit = 40M

    Install Suhosin Advanced Protection System for PHP

    Disabling Dangerous PHP Functions

    PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in configuration file using disable_functions directive:
    disable_functions =exec,passthru,shell_exec,system,proc_open,popen,c url_exec,curl_multi_exec,parse_ini_file,show_sourc e

    Limit PHP Access To File System

    The open_basedir directive set the directories from which PHP is allowed to access files using functions like fopen(), and others. If a file is outside of the paths defined by open_basdir, PHP will refuse to open it. You cannot use a symbolic link as a workaround. For example only allow access to /var/www/html directory and not to /var/www, or /tmp or /etc directories:

    ; Limits the PHP process from accessing files outside
    ; of specifically designated directories such as /var/www/html/
    ; ————————————
    ; Multiple dirs example
    ; open_basedir=”/home/httpd/vhost/”
    ; ————————————

    Session Path

    Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.
    ; Set the temporary directory used for storing files when doing file upload

    Restrict File and Directory Access

    Check the file and directory permissions

    Install Mod_security

    ModSecurity is an open source intrusion detection and prevention engine for web applications. You can easily install mod_security under Linux and protect apache and php based apps from xss and various other attacks:
    ## A few Examples ##
    # Do not allow to open files in /etc/
    SecFilter /etc/
    # Stop SQL injection
    SecFilter “delete[[:space:]]+from”
    SecFilter “select.+from”

  • #2
    The topic is quite useful, though I have a doubt on 'memory_limit = 40M', I have seen in most of the servers as 'memory_limit' is set to 128, 512 or even 1024M, is this memory_limit consuming the Physical memory(RAM) for executing the scripts?

    can anyone update on this?


    • nirmal
      nirmal commented
      Editing a comment
      Yes. Its the maximum amount of physical memory allocated to PHP by an Apache Process for executing scripts. memory_limit limits memory usage for script per one request.
      Last edited by nirmal; 9th June 2014, 05:48 AM.

  • #3
    Thanks Nirmal.


    Tag Cloud Tag Cloud Module