PHP Hardening Security

1. Remove Unnecessary PHP Modules

By default, you get a set of PHP modules that can be helpful in various tasks but some unnecessary modules might not be useful for each project. To list available PHP modules, utilize the given command:

$ php -m

For example, let’s remove the curl module by utilizing the given command:

$ sudo rm -r 20-curl.ini

2. Disable Remote PHP Code Execution

To disable fopen, we need to open the PHP configuration file by utilizing the given command:

$ sudo nano /etc/php.ini

Now, use CRTL + w and type allow_url_fopen which will land us on specific lines from where we will disable those options.

allow_url_fopen=Off
allow_url_include=Off

3. Disable PHP Information Leakage

When not disabled, the world can easily identify which version of PHP is currently used by our web server.

Now, change the defaults to “Off”.

expose_php=Off

4. Disable Dangerous PHP Functions

PHP has various functions enabled by default and can be helpful for development purposes. But many functions can be used by hackers to exploit our web server and disabling them will add a layer of security.

disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo

5. Protect PHP Configurations

While removing unnecessary files, we often remove some crucial files or even directories. So we must tweak settings in such a way that even root users can’t delete them.

$ sudo chattr +i /etc/php.ini

6. Session Security

Sessions are used to preserve information across multiple requests for individual users. The actual information is stored on the server, and a cookie (or, less securely, HTTP request data) containing a session ID is used to validate users. Sessions are used for purposes including authentication into a web application, which is one reason why its security is so important. The following settings can be updated to help reduce the risk of session interception.

session.use_strict_mode = 1

Create a new session ID if the browser sends a previously-uninitialized ID. This helps prevent an attack called session fixation.

session.cookie_httponly = 1

Allow the session cookie to be accessible only from a HTTP request, and not from other sources such as JavaScript. This helps prevent an attack called an XSS attack.

session.use_cookies = 1
session.use_only_cookies = 1
session.use_trans_sid = 0

Save session ID in a cookie, rather than sending it as a URL parameter. This helps keep a user’s session secure by preventing session fixation attacks.

session.name = custom_session_id

Cookies store their information in key-value format. It is advisable to update the default key name of the cookie that stores the session ID. Update “custom_session_id” with a custom value.

session.cookie_secure = 1

If your web application runs over the HTTPS protocol for security, enable this setting to force cookies containing session IDs to be accessed only over a secure connection.

session.referer_check = example.com

Check where the request came from in order to determine whether to allow access to session data. Update this setting value to your application’s domain name to help prevent session information from being accessed if a script is loaded from an external source.

session.save_path = "/var/lib/php/session"

The default session file save path is writeable by all system users. The location should be switched to a more secure directory. Ensure that the new directory location is not located within the web root. If you are using a file manager such as the one included with cPanel, then an easy location to create the session directory is directly outside of the web root (i.e. the same directory that public_html is located within). Another secure location is to create the directory within the PHP directory in “/var/lib”. The path depends on the operating system, i.e. “/var/lib/php” or “/var/lib/php5”. If have open_basedir restrictions in effect, ensure that the session save path is included in the open_basedir whitelist.

session.hash_function = sha512

SHA-512 is a more secure hashing algorithm for creating session IDs compared to the default MD5 hash function. This algorithm is available in PHP version 5.3+. If you are running a lesser version of PHP, use the SHA1 hash algorithm instead. To do so, set “session.hash_function = 1”.

session.bug_compat_42 = 0
session.bug_compat_warn = 0

Soap Cache

soap.wsdl_cache_dir = /var/lib/php/soap_cache

As with file uploads and session data, SOAP cache data should not be stored within the default temporary directory. Set this to a more secure directory.

  • 0 用戶發現這個有用
這篇文章有幫助嗎?