Zend PHP 7 Certification – Security – Configuration

27th August 2017

This post covers the Configuration section of the PHP Security chapter when studying for the Zend PHP 7 Certification.

Incorrect PHP configuration on a production web server can cause a website to have security flaws that may be exposed to hackers.

Some steps involved in securing your PHP application involve making small changes to the php.ini configuration files directives.

For example, unless you are in a closed development state, the display_errors directive should be disabled or turned off.

In addition, all error messages should be passed to system log files using the log_errors directive, and this should be enabled or turned on for production environments. This prevents your environment from presenting sensitive information to the public if an unexpected error occurs on the website.

In fact, a summary of the error logging configuration directives can be summed up as follows:

• display_error = off, log_errors = on (Production)
• error_reporting = E_ALL (Development system)
• error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
  (Production)

E_ALL reports all PHP errors. In a live environment, is it a good idea to report errors except E_STRICT and E_DEPRECATED constants.

These directives can also be added in the .htaccess file, or in apache’s httpd.conf configuration file.

# Disable display_errors for security reasons
php_flag  display_errors  off
php_flag  log_errors  on

Other configuration directive should also be taken into consideration, including open_basedir. This directive defines the locations or paths from which PHP is allowed to access files using functions like fopen() and gzopen(). If a file is outside of the paths defined by open_basedir, PHP will refuse to open it.

You can define the open_basedir directive within php.ini.

open_basedir = "/htdocs/somedirectory"

Or within Apache’s httpd.conf file.

<VirtualHost 123.123.123.123:80>
    <Directory /htdocs/somedirectory>
        php_admin_value open_basedir "/htdocs/somedirectory"
    </Directory>
</VirtualHost>

If enabled, the allow_url_fopen configuration directive allows PHP’s file functions, like file_get_contents() to retrieve data from remote locations. There is a risk of code injection caused by the combination of enabling allow_url_fopen and bad input filtering, so consider disabling this directive if you are not expecting to retrieve data from anywhere other than your local server.

allow_url_fopen=Off

To restrict PHP information leakage, you can disable the expose_php directive.

expose_php=Off

When enabled, expose_php reports to the world that PHP is installed on the server, which includes the PHP version within the HTTP header.

Although not as major as the other configuration directives that should be set properly, many users feel that it is worth not exposing PHP information as there are no real disadvantages of doing so.

View the other sections:

• Session Security
• Cross-Site Scripting
• Cross-Site Request Forgery
• SQL Injection
• Remote Code Injection
• Email Injection
• Input Filtering
• Escape Output
• Password Hashing API
• File Uploads
• Secure Socket Layer

Note: This article is based on PHP version 7.0.