This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "PHP Configuration Cheat Sheet"

From OWASP
Jump to: navigation, search
(new sections TBD)
(Migration to GitHub)
 
(20 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
__NOTOC__
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
= Introduction  =
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
  
This page intends to provide quick basic PHP security tips for administrators (and developers, if applicable). Keep in mind that tips mentioned in this page are not enough for securing your PHP web application.
+
Please visit [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/PHP_Configuration_Cheat_Sheet.md PHP Configuration Cheat Sheet] to see the latest version of the cheat sheet.
 
 
 
 
=Configuration and Deployment=
 
==suhosin==
 
Consider using Stefan Esser's <u>[[http://www.hardened-php.net/suhosin/index.html Hardened PHP patch]]</u> .
 
 
 
==suPHP==
 
{{TBD:}}
 
 
 
==php.ini==
 
Note that some of following settings need to be adapted to your system, in particular ''/path/'' and ''/application/''. Also read the [http://www.php.net/manual/ini.core.php PHP Manual] according dependencies of some settings.
 
 
 
 
 
 
 
====PHP error handlling====
 
  expose_php              = Off
 
  error_reporting        = E_ALL
 
  display_errors          = Off
 
  display_startup_errors  = Off
 
  log_errors              = On
 
  error_log              = /path/PHP-logs/php_error.log
 
  ignore_repeated_errors  = Off
 
 
 
====PHP general settings====
 
  doc_root                = /path/DocumentRoot/PHP-scripts/
 
  open_basedir            = /path/DocumentRoot/PHP-scripts/
 
  include_path            = /path/PHP-pear/
 
  extension_dir          = /path/PHP-extensions/
 
  mime_magic.magicfile   = /path/PHP-magic.mime
 
  allow_url_fopen        = Off
 
  allow_url_include      = Off
 
  variables_order        = "GPSE"
 
  allow_webdav_methods    = Off
 
 
 
====PHP file upload handling====
 
  file_uploads            = Off
 
  upload_tmp_dir          = /path/PHP-uploads/
 
  upload_max_filesize    = 1M  # NOTE: more or less useless as first handled by the web server
 
  max_file_uploads        = 2
 
 
 
====PHP executable handling====
 
  enable_dl              = On
 
  disable_functions      = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open
 
  disable_functions      = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file
 
  disable_functions      = chdir, mkdir, rmdir, chmod, rename
 
  disable_functions      = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
 
    # see also: http://de3.php.net/features.safe-mode
 
  disable_classes        =
 
 
 
====PHP session handling====
 
  session.auto_start      = Off
 
  session.save_path      = /path/PHP-session/
 
  session.name            = myPHPSESSID
 
  session.hash_function  = 1
 
  session.hash_bits_per_character = 6
 
  session.use_trans_sid  = 0
 
  session.cookie_domain  = full.qualified.domain.name
 
  session.cookie_path    = /application/path/
 
  session.cookie_lifetime = 0
 
  session.cookie_secure  = On
 
  session.cookie_httponly = 1
 
  session.use_only_cookies= 1
 
  session.cache_expire    = 30
 
  default_socket_timeout  = 60
 
 
 
====some more security paranoid checks====
 
  session.referer_check  = /application/path
 
  memory_limit            = 2M
 
  post_max_size          = 2M
 
  mx_execution_time      = 9
 
  report_memleaks        = On
 
  track_errors            = Off
 
  html_errors            = Off
 
 
 
====old, depricated====
 
Use these configurations in older PHP versions if necessary.
 
  register_globals        = Off
 
  gpc_order              = "GP"
 
  magic_quotes_gpc        = On
 
  safe_mode              = On
 
  safe_mode_include_dir  = /path/PHP-include
 
  safe_mode_exec_dir      = /path/PHP-executable
 
  safe_mode_allowed_env_vars  = PHP_
 
  safe_mode_protected_env_vars = SHELL, IFS, PATH, HOME, USER, TZ, TMP, TMPDIR, LANG,
 
  safe_mode_protected_env_vars = LD_LIBRARY_PATH, LD_PRELOAD, SHLIB_PATH, LIBPATH
 
 
 
====PHP Database Settings====
 
{{TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)}}
 
 
 
====PHP Database User====
 
{{TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry}}
 
 
 
====PHP Windows specific Settings====
 
{{TBD:}}
 
 
 
====PHP Extension====
 
{{TBD:}}
 
 
 
= Related Cheat Sheets  =
 
 
 
[[PHP_Security_Cheat_Sheet]]
 
 
 
= Authors and Primary Editors  =
 
 
 
[[User:Achim|Achim]] Hoffmann - [mailto:achim_at_owasp.org Achim at owasp.org]
 
 
 
--[[User:Achim|Achim]], 30. November 2012
 
 
 
= Other Cheatsheets =
 
{{Cheatsheet_Navigation}}
 
 
 
[[Category:Cheatsheets]]
 

Latest revision as of 13:16, 20 February 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit PHP Configuration Cheat Sheet to see the latest version of the cheat sheet.