|
|
| (22 intermediate revisions by 4 users not shown) |
| Line 1: |
Line 1: |
| | + | __NOTOC__ |
| | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | = Introduction =
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | | |
| − | This page intends to provide quick basic PHP security tips for administrators (and developers, if applicable). Keep in mind that tips mentioned in this page are not enough for securing your PHP web application.
| + | Please visit [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/PHP_Configuration_Cheat_Sheet.md PHP Configuration Cheat Sheet] to see the latest version of the cheat sheet. |
| − | | |
| − | | |
| − | =Configuration and Deployment=
| |
| − | ==suhosin==
| |
| − | Consider using Stefan Esser's <u>[[http://www.hardened-php.net/suhosin/index.html Hardened PHP patch]]</u> .
| |
| − | | |
| − | ==suPHP==
| |
| − | {{TBD:}}
| |
| − | | |
| − | ==php.ini==
| |
| − | Note that some of following settings need to be adapted to your system. Also read the [http://www.php.net/manual/ini.core.php PHP Manual] according dependencies of some settings.
| |
| − | | |
| − | ====PHP error handlling====
| |
| − | expose_php = Off
| |
| − | error_reporting = E_ALL
| |
| − | display_errors = Off
| |
| − | display_startup_errors = Off
| |
| − | log_errors = On
| |
| − | error_log = /path/PHP-logs/php_error.log
| |
| − | ignore_repeated_errors = Off
| |
| − | | |
| − | ====PHP general settings====
| |
| − | doc_root = /path/DocumentRoot/PHP-scripts/
| |
| − | open_basedir = /path/DocumentRoot/PHP-scripts/
| |
| − | include_path = /path/PHP-pear/
| |
| − | extension_dir = /path/PHP-extensions/
| |
| − | mime_magic.magicfile = /path/PHP-magic.mime
| |
| − | allow_url_fopen = Off
| |
| − | allow_url_include = Off
| |
| − | variables_order = "GPSE"
| |
| − | allow_webdav_methods = Off
| |
| − | | |
| − | ====PHP file upload handling====
| |
| − | file_uploads = Off
| |
| − | upload_tmp_dir = /path/PHP-uploads/
| |
| − | upload_max_filesize = 1M # NOTE: more or less useless as first handled by the web server
| |
| − | max_file_uploads = 2
| |
| − | | |
| − | ====PHP executable handling====
| |
| − | enable_dl = On
| |
| − | disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open
| |
| − | disable_functions = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file
| |
| − | disable_functions = chdir, mkdir, rmdir, chmod, rename
| |
| − | disable_functions = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
| |
| − | # see also: http://de3.php.net/features.safe-mode
| |
| − | disable_classes =
| |
| − | | |
| − | ====PHP session handling====
| |
| − | session.auto_start = Off
| |
| − | session.save_path = /path/PHP-session/
| |
| − | session.name = myPHPSESSID
| |
| − | session.hash_function = 1
| |
| − | session.hash_bits_per_character = 6
| |
| − | session.use_trans_sid = 0
| |
| − | session.cookie_domain = full.qualified.domain.name
| |
| − | session.cookie_path = /application/path/
| |
| − | session.cookie_lifetime = 0
| |
| − | session.cookie_secure = On
| |
| − | session.cookie_httponly = 1
| |
| − | session.use_only_cookies= 1
| |
| − | session.cache_expire = 30
| |
| − | default_socket_timeout = 60
| |
| − | | |
| − | ====some more security paranoid checks====
| |
| − | session.referer_check = /application/path
| |
| − | memory_limit = 2M
| |
| − | post_max_size = 2M
| |
| − | mx_execution_time = 9
| |
| − | report_memleaks = On
| |
| − | track_errors = Off
| |
| − | html_errors = Off
| |
| − | | |
| − | ====old, depricated====
| |
| − | Use these configurations in older PHP versions if necessary.
| |
| − | register_globals = Off
| |
| − | gpc_order = "GP"
| |
| − | magic_quotes_gpc = On
| |
| − | safe_mode = On
| |
| − | safe_mode_include_dir = /path/PHP-include
| |
| − | safe_mode_exec_dir = /path/PHP-executable
| |
| − | safe_mode_allowed_env_vars = PHP_
| |
| − | safe_mode_protected_env_vars = SHELL, IFS, PATH, HOME, USER, TZ, TMP, TMPDIR, LANG, LD_LIBRARY_PATH, LD_PRELOAD, SHLIB_PATH, LIBPATH
| |
| − | | |
| − | ====Database Settings====
| |
| − | {{TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)}}
| |
| − | | |
| − | ====Database User====
| |
| − | {{TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry}}
| |
| − | | |
| − | ====Session Management====
| |
| − | {{TBD:}}
| |
| − | | |
| − | = Related Cheat Sheets =
| |
| − | | |
| − | [[PHP_Security_Cheat_Sheet]]
| |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | [[User:Achim|Achim]] Hoffmann - [mailto:achim_at_owasp.org Achim at owasp.org]
| |
| − | | |
| − | --[[User:Achim|Achim]], 30 November 2012
| |
| − | | |
| − | = Other Cheatsheets =
| |
| − | {{Cheatsheet_Navigation}}
| |
| − | | |
| − | [[Category:Cheatsheets]]
| |
