|
|
| (5 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| | + | __NOTOC__ |
| | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | = Introduction =
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | | |
| − | This page is part of the [[PHP Security Cheat Sheet]], for developers and administrators. It describes secure configuration of PHP and its platform.
| + | Please visit [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/PHP_Configuration_Cheat_Sheet.md PHP Configuration Cheat Sheet] to see the latest version of the cheat sheet. |
| − | ====<center>..: Work in Progress :..</center>====
| |
| − | ----
| |
| − | | |
| − | =Web Server Configuration=
| |
| − | ==Apache==
| |
| − | ===suPHP===
| |
| − | [http://suphp.org suPHP] makes every php script run as its file owner. This way you are allowed to upload and modify files in your folders without needing to '''chmod 777''' any folder, which is very bad security practice and will let to your files be compromised easily. Install and configure it on your web server.
| |
| − | | |
| − | =PHP Configuration and Deployment=
| |
| − | ==suhosin==
| |
| − | Consider using [http://www.hardened-php.net/suhosin/index.html Suhosin] (Stefan Esser's [Hardened PHP patch]) if you want to patch many custom security flaws in various parts of PHP.
| |
| − | | |
| − | ==php.ini==
| |
| − | Note that some of following settings need to be adapted to your system, in particular <code style="background:#ddd">/path/</code> and <code style="background:#ddd">/application/</code>. Also read the [http://www.php.net/manual/ini.core.php PHP Manual] according dependencies of some settings.
| |
| − | | |
| − | | |
| − | | |
| − | ====PHP error handlling====
| |
| − | expose_php = Off
| |
| − | error_reporting = E_ALL
| |
| − | display_errors = Off
| |
| − | display_startup_errors = Off
| |
| − | log_errors = On
| |
| − | error_log = /valid_path/PHP-logs/php_error.log
| |
| − | ignore_repeated_errors = Off
| |
| − | | |
| − | | |
| − | Keep in mind that you need to have display_errors off on a production server and it's a good idea to frequently notice the logs.
| |
| − | | |
| − | ====PHP general settings====
| |
| − | doc_root = /path/DocumentRoot/PHP-scripts/
| |
| − | open_basedir = /path/DocumentRoot/PHP-scripts/
| |
| − | include_path = /path/PHP-pear/
| |
| − | extension_dir = /path/PHP-extensions/
| |
| − | mime_magic.magicfile = /path/PHP-magic.mime
| |
| − | allow_url_fopen = Off
| |
| − | allow_url_include = Off
| |
| − | variables_order = "GPSE"
| |
| − | allow_webdav_methods = Off
| |
| − | register_globals = Off
| |
| − | safe_mode = Off
| |
| − | Allow_url_* prevents LFIs to be easily escalated to RFIs.
| |
| − | | |
| − | ====PHP file upload handling====
| |
| − | file_uploads = On
| |
| − | upload_tmp_dir = /path/PHP-uploads/
| |
| − | upload_max_filesize = 2M
| |
| − | max_file_uploads = 2
| |
| − |
| |
| − | It's a good idea to turn it off, if your application is not using file uploads.
| |
| − | | |
| − | ====PHP executable handling====
| |
| − | enable_dl = On
| |
| − | disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open
| |
| − | disable_functions = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file
| |
| − | disable_functions = chdir, mkdir, rmdir, chmod, rename
| |
| − | disable_functions = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
| |
| − | # see also: http://ir.php.net/features.safe-mode
| |
| − | disable_classes =
| |
| − | | |
| − | These are dangerous PHP functions. You should disable all that you don't use.
| |
| − | | |
| − | ====PHP session handling====
| |
| − | session.auto_start = Off
| |
| − | session.save_path = /path/PHP-session/
| |
| − | session.name = myPHPSESSID
| |
| − | session.hash_function = 1
| |
| − | session.hash_bits_per_character = 6
| |
| − | session.user_trans_sid = 0
| |
| − | session.cookie_domain = full.qualified.domain.name
| |
| − | #session.cookie_path = /application/path/
| |
| − | session.cookie_lifetime = 0
| |
| − | session.cookie_secure = On
| |
| − | session.cookie_httponly = 1
| |
| − | session.user_only_cookies= 1
| |
| − | session.cache_expire = 30
| |
| − | default_socket_timeout = 60
| |
| − | | |
| − | It is a good practice to change session.name to something new.
| |
| − | | |
| − | ====some more security paranoid checks====
| |
| − | session.referer_check = /application/path
| |
| − | memory_limit = 8M
| |
| − | post_max_size = 8M
| |
| − | max_execution_time = 60
| |
| − | report_memleaks = On
| |
| − | track_errors = Off
| |
| − | html_errors = Off
| |
| − | | |
| − | ====PHP Database Settings====
| |
| − | {{TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)}}
| |
| − | | |
| − | ====PHP Database User====
| |
| − | {{TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry}}
| |
| − | | |
| − | ====PHP Windows specific Settings====
| |
| − | {{TBD:}}
| |
| − | | |
| − | ====PHP Extension====
| |
| − | {{TBD:}}
| |
| − | | |
| − | = Related Cheat Sheets =
| |
| − | | |
| − | [[PHP_Security_Cheat_Sheet]]
| |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | [[User:Achim|Achim]] Hoffmann - [mailto:achim_at_owasp.org Achim at owasp.org]
| |
| − | | |
| − | | |
| − | | |
| − | --[[User:Achim|Achim]], 30. November 2012
| |
| − | | |
| − | = Other Cheatsheets =
| |
| − | {{Cheatsheet_Navigation}}
| |
| − | | |
| − | [[Category:Cheatsheets]]
| |
