Recommended: "PHP Video Tutorial"
docker-entrypoint.shscript to illustrate the example, but of course you can apply this to a non-docker environment.
Sessions
Use a longer Session ID length
Increasing the session ID length will make it harder for attackers to guess (Via brute force or more likely side channel attack). The length can be between 22 and 256 characters. The default value is 32.sed -i -e "s/session.sid_length = 26/session.sid_length = 42/" /etc/php7/php.ini
Use a custom session save path with restricted permissions
Only nginx/php needs access to the session, so let’s put them in a special session with restricted permissions folder.sed -i -e "s:;session.save_path = \"/tmp\":session.save_path = \"/sessions\":" /etc/php7/php.ini mkdir -p /sessions chown nginx:nginx /sessions chmod 700 /sessions
Secure Session Cookie
session .cookie_httponly to prevent javascript from accessing them. More information.
sed -i -e "s/session.cookie_httponly.*/session.cookie_httponly = true/" /etc/php7/php.ini sed -i -e "s/;session.cookie_secure.*/session.cookie_secure = true/" /etc/php7/php.ini
session.cookie_secure Prevents your cookies from being transmitted over clear text HTTP.
session.cookie_samesite to prevent cross-site attacks. Only works with latest PHP/browsers.
Using Strict Mode
Due to the cookie specification, an attacker is able to place a non-removable session ID cookie by setting the cookie database locally or via JavaScript injection.session.use_strict_mode Prevents the use of an attacker-initiated session ID.
Limited lifetime
The session should be closed with the browser. Therefore setsession.cookie_lifetime to 0.
Open_basedir
open_basedir is a php.ini configuration option that allows you to limit the files/directories that PHP can access .
sed -i -e "s#;open_basedir =#open_basedir = /elabftw/:/tmp/:/usr/bin/unzip#" /etc/php7/php.ini
/elabftw is the location where all source php files are located. I don't remember why /tmp is here, but there must be a reason.
Disable Features
Be careful with this as you can easily screw up an app. But it's definitely worth investigating. Assuming an attacker somehow uploaded a webshell, if it was disabled correctly, the webshell wouldn't really work becauseshell_exec would be disabled and so would the same. I've provided a list that works for elabftw, but it's not 100% complete.
sed -i -e "s/disable_functions =/disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abort, shell_exec, dl, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, phpinfo/" /etc/php7/php.ini
Disable url_fopen
allow_url_fopen This option is very dangerous. Disable it. More informationhere.
sed -i -e "s/allow_url_fopen = On/allow_url_fopen = Off/" /etc/php7/php.ini
Disable cgi.fix_pathinfo
You don’t want non-PHP files to execute as PHP files, right? Then disable this feature.More information.
sed -i -e "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g" /etc/php7/php.ini
Hide PHP version
Finally, without thinking:sed -i -e "s/expose_php = On/expose_php = Off/g" /etc/php7/php.ini
Original address: https://dev.to/elabftw/10-steps-for-securing-a-php-app-5fnp
Translation address: https://learnku.com /php/t/50851
The above is the detailed content of Share ten essential tips for PHP security. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
