Tangible Bytes

A Web Developer’s Blog

Security Hardening Php

Most of what you read about securing PHP is how to write secure code - and that is really important.

In addition it helps to setup PHP on the server for best security.

There is plenty we can do to harden the setup without hurting the functionality we need.

The more layers we have in our security setup the better.

php.ini

There are various guides to securing php.ini settings

The common factors are

  • reduce the information you give to attackers
  • log more information for yourself
  • disable dangerous functions that you don’t need
  • add strict limits that suit your application

PHP is written to be powerful and flexible - to be able to do all sorts of stuff - but much of it you don’t need.

Like including PHP files from remote servers, or running shell commands.

Read up on how to tighten your settings

OWASP PHP Configuration Cheat Sheet

Try this script to review your config

https://github.com/sektioneins/pcc

Snuffleupagus

Snuffleupagus adds a whole other level of PHP hardening - it is the successor to https://suhosin.org/

Snuffleupagus has a lot of features that can be divided in two main categories: bug-classes killers and virtual-patching. The first category provides primitives to kill various bug families (like arbitrary code execution via unserialize for example) or raise the cost of exploitation. The second category is a highly configurable system to patch functions in php itself.