This post covers the Configuration section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
Incorrect PHP configuration on a production web server can cause a website to have security flaws that may be exposed to hackers.
Some steps involved in securing your PHP application involve making small changes to the
php.ini configuration files directives.
For example, unless you are in a closed development state, the
display_errors directive should be disabled or turned off.
In addition, all error messages should be passed to system log files using the
log_errors directive, and this should be enabled or turned on for production environments. This prevents your environment from presenting sensitive information to the public if an unexpected error occurs on the website.
In fact, a summary of the error logging configuration directives can be summed up as follows:
E_ALL reports all PHP errors. In a live environment, is it a good idea to report errors except
These directives can also be added in the
.htaccess file, or in apache’s
httpd.conf configuration file.
# Disable display_errors for security reasons php_flag display_errors off php_flag log_errors on
Other configuration directive should also be taken into consideration, including
open_basedir. This directive defines the locations or paths from which PHP is allowed to access files using functions like
gzopen(). If a file is outside of the paths defined by
open_basedir, PHP will refuse to open it.
You can define the
open_basedir directive within
open_basedir = "/htdocs/somedirectory"
Or within Apache’s
<VirtualHost 22.214.171.124:80> <Directory /htdocs/somedirectory> php_admin_value open_basedir "/htdocs/somedirectory" </Directory> </VirtualHost>
If enabled, the
allow_url_fopen configuration directive allows PHP’s file functions, like
file_get_contents() to retrieve data from remote locations. There is a risk of code injection caused by the combination of enabling
allow_url_fopen and bad input filtering, so consider disabling this directive if you are not expecting to retrieve data from anywhere other than your local server.
To restrict PHP information leakage, you can disable the
expose_php reports to the world that PHP is installed on the server, which includes the PHP version within the HTTP header.
Although not as major as the other configuration directives that should be set properly, many users feel that it is worth not exposing PHP information as there are no real disadvantages of doing so.
View the other sections:
Note: This article is based on PHP version 7.0.