PHP is one of the most popular server-side scripting language used by 82.5% websites of the world which platform is known. The newer version PHP7 makes it more appealing for developers. There is a myth that PHP is less secure over other programming languages.
PHP offers robust security but it's in the hand of developers to implement it correctly or not.
Let's begin the learning to make a secure application in PHP:-
Remote Code Execution can be used to breach the security of web application and many of the websites don't really needs to execute the code remotely so better we should disable the functionality.
Errors convey the idea to developers that what coding mistake they are doing but at the same time it also convey the idea to hackers, to find out the right way for breaching security of website.
//By using security.ini file display_errors=Off
Most of the websites don't use the functionality to upload the files through website interface so better let's disable this functionality.
//By using security.ini file file_uploads=Off
We have a number of PHP module which can be used to perform various task but a particular website doesn't needs all of them.You can list all the available modules by using the command # php - m
//List the available modules # php - m // Now set the unnecessary modules off one by one
Setting the unnecessary modules off will improve the performance and security of the Web application.
By default, PHP provides all the information regards the platform and installed modules. We can control that by using the command expose_php at the file security.ini.
//Disable to expose the information regards platform expose_php=Off
Post functionality is used to send the date from one page to another one. We can limit the size of data by using post_max_size at security.ini
//Limited the size of data post_max_size=1k
The function fopen() can be used to access all the files of website but we can limit the access of fopen() by using open_basedir
//Limited the size of data open_basedir="/var/www/html/"
PHP comes with many of the function which are normally not required by the web application but can be used by hackers to breath the security of the websites. So let's put them into disable mode.
//By using php.ini file disable_functions =exec,passthru, shell_exec,system,proc_open,popen,curl_exec, curl_multi_exec,parse_ini_file,show_source