This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "PHP Configuration Cheat Sheet"

From OWASP
Jump to: navigation, search
(post_max_size = 8M suggestions)
(Migration to GitHub)
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 +
__NOTOC__
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
= Introduction  =
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
  
This page is part of the [[PHP Security Cheat Sheet]], for developers and administrators. It describes secure configuration of PHP and its platform.
+
Please visit [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/PHP_Configuration_Cheat_Sheet.md PHP Configuration Cheat Sheet] to see the latest version of the cheat sheet.
====<center>..: Work in Progress :..</center>====
 
----
 
 
 
=Web Server Configuration=
 
==Apache==
 
===suPHP===
 
[http://suphp.org suPHP] makes every php script run as its file owner. This way you are allowed to upload and modify files in your folders without needing to '''chmod 777''' any folder, which is very bad security practice and will let to your files be compromised easily. Install and configure it on your web server.
 
 
 
=PHP Configuration and Deployment=
 
==suhosin==
 
Consider using [http://www.hardened-php.net/suhosin/index.html Suhosin] (Stefan Esser's [Hardened PHP patch]) if you want to patch many custom security flaws in various parts of PHP.
 
 
 
==php.ini==
 
Note that some of following settings need to be adapted to your system, in particular <code style="background:#ddd">/path/</code> and <code style="background:#ddd">/application/</code>. Also read the [http://www.php.net/manual/ini.core.php PHP Manual] according dependencies of some settings.
 
 
 
 
 
 
 
====PHP error handlling====
 
  expose_php              = Off
 
  error_reporting        = E_ALL
 
  display_errors          = Off
 
  display_startup_errors  = Off
 
  log_errors              = On
 
  error_log              = /valid_path/PHP-logs/php_error.log
 
  ignore_repeated_errors  = Off
 
 
 
 
 
Keep in mind that you need to have display_errors off on a production server and it's a good idea to frequently notice the logs.
 
 
 
====PHP general settings====
 
  doc_root                = /path/DocumentRoot/PHP-scripts/
 
  open_basedir            = /path/DocumentRoot/PHP-scripts/
 
  include_path            = /path/PHP-pear/
 
  extension_dir          = /path/PHP-extensions/
 
  mime_magic.magicfile   = /path/PHP-magic.mime
 
  allow_url_fopen        = Off
 
  allow_url_include      = Off
 
  variables_order        = "GPSE"
 
  allow_webdav_methods    = Off
 
 
 
 
 
Allow_url_* prevents LFIs to be easily escalated to RFIs.
 
 
 
====PHP file upload handling====
 
  file_uploads            = On
 
  upload_tmp_dir          = /path/PHP-uploads/
 
  upload_max_filesize    = 2M
 
  max_file_uploads        = 2
 
 
 
It's a good idea to turn it off, if your application is not using file uploads.
 
 
 
====PHP executable handling====
 
  enable_dl              = On
 
  disable_functions      = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open
 
  disable_functions      = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file
 
  disable_functions      = chdir, mkdir, rmdir, chmod, rename
 
  disable_functions      = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
 
    # see also: http://ir.php.net/features.safe-mode
 
  disable_classes        =
 
 
 
These are dangerous PHP functions. You should disable all that you don't use.
 
 
 
====PHP session handling====
 
  session.auto_start      = Off
 
  session.save_path      = /path/PHP-session/
 
  session.name            = myPHPSESSID
 
  session.hash_function  = 1
 
  session.hash_bits_per_character = 6
 
  session.use_trans_sid  = 0
 
  session.cookie_domain  = full.qualified.domain.name
 
  #session.cookie_path    = /application/path/
 
  session.cookie_lifetime = 0
 
  session.cookie_secure  = On
 
  session.cookie_httponly = 1
 
  session.use_only_cookies= 1
 
  session.cache_expire    = 30
 
  default_socket_timeout  = 60
 
 
 
It is a good practice to change session.name to something new.
 
 
 
====some more security paranoid checks====
 
  session.referer_check  = /application/path
 
  memory_limit            = 8M
 
  post_max_size          = 8M
 
  max_execution_time      = 60
 
  report_memleaks        = On
 
  track_errors            = Off
 
  html_errors            = Off
 
 
 
====PHP Database Settings====
 
{{TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)}}
 
 
 
====PHP Database User====
 
{{TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry}}
 
 
 
====PHP Windows specific Settings====
 
{{TBD:}}
 
 
 
====PHP Extension====
 
{{TBD:}}
 
 
 
= Related Cheat Sheets  =
 
 
 
[[PHP_Security_Cheat_Sheet]]
 
 
 
= Authors and Primary Editors  =
 
 
 
[[User:Achim|Achim]] Hoffmann - [mailto:achim_at_owasp.org Achim at owasp.org]
 
 
 
--[[User:Abbas Naderi|AbiusX]] [mailto:[email protected] email]
 
 
 
--[[User:Achim|Achim]], 30. November 2012
 
 
 
= Other Cheatsheets =
 
{{Cheatsheet_Navigation}}
 
 
 
[[Category:Cheatsheets]]
 

Latest revision as of 13:16, 20 February 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit PHP Configuration Cheat Sheet to see the latest version of the cheat sheet.