This post covers the Configuration section of the PHP Security chapter when studying for the Zend PHP 7 Certification.
Incorrect PHP configuration on a production web server can cause a website to have security flaws that may be exposed to hackers.
Some steps involved in securing your PHP application involve making small changes to the php.ini
configuration files directives.
For example, unless you are in a closed development state, the display_errors
directive should be disabled or turned off.
In addition, all error messages should be passed to system log files using the log_errors
directive, and this should be enabled or turned on for production environments. This prevents your environment from presenting sensitive information to the public if an unexpected error occurs on the website.
In fact, a summary of the error logging configuration directives can be summed up as follows:
E_ALL
reports all PHP errors. In a live environment, is it a good idea to report errors except E_STRICT
and E_DEPRECATED
constants.
These directives can also be added in the .htaccess
file, or in apache’s httpd.conf
configuration file.
# Disable display_errors for security reasons
php_flag display_errors off
php_flag log_errors on
Other configuration directive should also be taken into consideration, including open_basedir
. This directive defines the locations or paths from which PHP is allowed to access files using functions like fopen()
and gzopen()
. If a file is outside of the paths defined by open_basedir
, PHP will refuse to open it.
You can define the open_basedir
directive within php.ini
.
open_basedir = "/htdocs/somedirectory"
Or within Apache’s httpd.conf
file.
<VirtualHost 123.123.123.123:80>
<Directory /htdocs/somedirectory>
php_admin_value open_basedir "/htdocs/somedirectory"
</Directory>
</VirtualHost>
If enabled, the allow_url_fopen
configuration directive allows PHP’s file functions, like file_get_contents()
to retrieve data from remote locations. There is a risk of code injection caused by the combination of enabling allow_url_fopen
and bad input filtering, so consider disabling this directive if you are not expecting to retrieve data from anywhere other than your local server.
allow_url_fopen=Off
To restrict PHP information leakage, you can disable the expose_php
directive.
expose_php=Off
When enabled, expose_php
reports to the world that PHP is installed on the server, which includes the PHP version within the HTTP header.
Although not as major as the other configuration directives that should be set properly, many users feel that it is worth not exposing PHP information as there are no real disadvantages of doing so.
View the other sections:
Note: This article is based on PHP version 7.0.