Differences

This shows you the differences between two versions of the page.

Link to this comparison view

php_security [2011/11/22 10:22] (current)
Line 1: Line 1:
 +====== PHP Security ======
 +
 +  * [[PHP]]
 +  * [[PHP Suhosin]]
 +  * [[http://​us.php.net/​manual/​en/​configuration.changes.modes.php|Where a configuration setting may be set]]
 +  * [[http://​us.php.net/​manual/​en/​ini.list.php|List of php.ini directives]]
 +  * [[http://​stackoverflow.com/​questions/​5081025/​php-session-fixation-hijacking|PHP Session Hijacking]]
 +
 +=== PHP Configuration Overrides ===
 +
 +^ Mode ^ Meaning ^
 +| PHP_INI_USER | Entry can be set in user scripts (like with ini_set()) |
 +| PHP_INI_PERDIR | Entry can be set in php.ini, .htaccess or httpd.conf |
 +| PHP_INI_SYSTEM | Entry can be set in php.ini or httpd.conf |
 +| PHP_INI_ALL | Entry can be set anywhere |
 +
 +=== Configuration Settings ===
 +
 +== open_basedir ==
 +
 +  * [[http://​us.php.net/​manual/​en/​ini.core.php#​ini.open-basedir|description]]
 +
 +Limits all file operations to the defined directory and below. ​ This directive makes most sense if used in a per-directory or per-virtualhost web server configuration file.
 +
 +  * Default: Off
 +  * Recommended:​ webroot
 +  * Changeable: PHP_INI_ALL
 +  * Syntax: "/​var/​www:/​usr/​share/​php"​
 +
 +Also it is prudent to disable symlink() function
 +
 +== disable_functions ==
 +
 +  * [[http://​us.php.net/​manual/​en/​ini.core.php#​ini.disable-functions|description]]
 +
 +Disable certain PHP functions from executing. ​ Will throw a security warning error when they are used in code.
 +
 +  * Default: None
 +  * Recommended:​ filesystem functions, system executable functions, phpinfo, etc.
 +  * Changeable: php.ini only
 +  * Syntax: "​eval,​file_get_contents"​
 +
 +== expose_php ==
 +
 +  * [[http://​us.php.net/​manual/​en/​ini.core.php#​ini.expose-php|description]]
 +
 +Adds a header to the HTTP response detailing the PHP version used.
 +
 +  * Default: Enabled
 +  * Recommended:​ Disabled
 +  * Changeable: php.ini only
 +
 +== display_errors ==
 +
 +  * [[http://​us.php.net/​manual/​en/​errorfunc.configuration.php#​ini.display-errors|description]]
 +
 +Includes error output with script execution.
 +
 +  * Default: Enabled
 +  * Recommended:​ Disabled on production servers
 +  * Changeable: PHP_INI_ALL
 +
 +== html_errors ==
 +
 +  * [[http://​us.php.net/​manual/​en/​errorfunc.configuration.php#​ini.html-errors|description]]
 +
 +Displays errors with HTML tags
 +
 +  * Default: Enabled
 +  * Recommended:​ Disabled on production servers
 +  * Changeable: PHP_INI_ALL
 +
 +== post_max_size ==
 +
 +  * [[http://​us.php.net/​manual/​en/​ini.core.php#​ini.post-max-size|description]]
 +
 +Maximum size of POST data that PHP will accept.
 +
 +  * Default: 8M
 +  * Recommended:​ Low as necessary to avoid denial of service.
 +  * Changeable: PHP_INI_PERDIR
 +
 +== enable_dl ==
 +
 +  * [[http://​us.php.net/​manual/​en/​info.configuration.php#​ini.enable-dl|description]]
 +
 +Allows loading external PHP modules
 +
 +  * Default: Enabled
 +  * Recommended:​ Disabled
 +  * Changeable: PHP_INI_SYSTEM
 +
 +== file_uploads ==
 +
 +  * [[http://​us.php.net/​manual/​en/​ini.core.php#​ini.file-uploads|file_uploads]]
 +
 +Allows uploading files.
 +
 +  * Default: Enabled
 +  * Recommended:​ Disable if not being used
 +  * Changeable: PHP_INI_SYSTEM
 +
 +== upload_max_filesize ==
 +
 +The max filesize of an uploaded file.
 +
 +  * [[http://​us.php.net/​manual/​en/​ini.core.php#​ini.upload-max-filesize|description]]
 +
 +  * Default: 2M
 +  * Recommended:​ As large as needed for production, keep small otherwise to prevent denial of service.
 +  * Changeable: PHP_INI_PERDIR
 +
 +== max_file_uploads ==
 +
 +  * [[http://​us.php.net/​manual/​en/​ini.core.php#​ini.max-file-uploads|description]]
 +
 +Maximum number of files that can be uploaded via a single request.
 +
 +  * Default: 20
 +  * Recommended:​ Lower value
 +  * Changeable: PHP_INI_SYSTEM
 +
 +== allow_url_fopen ==
 +
 +  * [[http://​us.php.net/​manual/​en/​filesystem.configuration.php#​ini.allow-url-fopen|description]]
 +
 +Whether to allow the treatment of URLs (like http:// or ftp://) as files.
 +
 +  * Default: Off
 +  * Recommended:​ Off
 +  * Changeable: PHP_INI_SYSTEM (Appendix says PHP_INI_ALL,​ which is wrong)
 +
 +== allow_url_include ==
 +
 +  * [[http://​us.php.net/​manual/​en/​filesystem.configuration.php#​ini.allow-url-include|description]]
 +
 +Whether to allow include/​require to open URLs (like http:// or ftp://) as files.
 +
 +  * Default: Off
 +  * Recommended:​ Off
 +  * Changeable: PHP_INI_ALL
 +
 +== session.use_only_cookies ==
 +
 +  * [[http://​us.php.net/​manual/​en/​session.configuration.php#​ini.session.use-only-cookies|description]]
 +
 +This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs
 +
 +  * [[http://​www.php.net/​manual/​en/​session.security.php|Sessions and security]]
 +
 +  * Default: Off
 +  * Recommended:​ On for sites that store secure data in session, but requires cookies to be set in browser
 +  * Changeable: PHP_INI_ALL
 +
 +== session.cookie_httponly ==
 +
 +  * [[http://​us.php.net/​manual/​en/​session.configuration.php#​ini.session.cookie-httponly|description]]
 +
 +Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.
 +
 +  * Default: Off
 +  * Recommended:​ On for sites unless they use JavaScript to access session data (likely rare)
 +  * Changeable: PHP_INI_ALL
 +
 +== session.hash_function ==
 +
 +  * [[http://​us.php.net/​manual/​en/​session.configuration.php#​ini.session.hash-function|description]]
 +
 +Allows you to specify the hash algorithm used to generate the session IDs. '​0'​ means MD5 (128 bits) and '​1'​ means SHA-1 (160 bits).
 +
 +  * Default: MD5
 +  * Recommended:​ SHA1
 +  * Changeable: PHP_INI_ALL
 +