PHP Security Checklist

No one remembers it all

PHP Security Checklist

The things you must do when coding

最好的油墨比最好的記憶更好 -The palest ink is better is than the best memory.

PHP Security Design Best Practices Summary

Every web application needs to address the following issues in order to meet the requirements for current web application protection.

  1. Architect Application Character Set
  2. Architect Database
  3. Architect Request Patterns
  4. Architect Input Validation
  5. Architect Output Escaping
  6. Architect Session Management
  7. Protect Secret Files/Include Files
  8. Protect Against CSRF Attacks
  9. Protect Against XSS Attacks
  10. Protect Against File System Attacks
  11. Architect Error Handling

OWASP Recommendations for PHP

The following list is in no particular order. It simply represents the order this author tends to think things through in the software design phase. Each element is important to the total protection of the application. Neglecting or poorly implementing any one part weakens the protection as a whole. Please make it a habit to continually refer to the OWASP PHP Cheat Sheet.

Stay Updated - Many experts continually contribute the latest information as security issues evolve.

The Checklist

  1. Upgrade to PHP 5.4+. Version 5.2 is now officially unsupported
  2. Enforce UTF-8 everywhere – PHP, MySQL, Text, HTML, JavaScript, Email, URL
  3. Employ a Content Security Policy from the start
  4. Use PHP’s highest levels of Session ID generation and hashing
  5. Login over SSL
  6. Use modern strength cryptography with CSPRNG quality salts (Blowfish, Rijndael256, openssl_random_pseudo_bytes(), DEV_URANDOM, etc..)
  7. Store hashed, then encrypted passwords, not clear text passwords
  8. Use cookies only via session.use_only_cookies=1
  9. Use HTTP-Only Cookies via session.cookie_httponly=1
  10. Use secure cookies over SSL for login process via session.cookie_secure=1
  11. Avoid shared session storage. Use custom session handler for secure storage
  12. Avoid Session Fixation by regenerating session id on authentication/authorization
  13. Set and enforce session expiration on critical actions – general timeout, inactivity periods
  14. Make logout button available to users at all times
  15. Properly delete all session data/Unset cookies immediately on logout
  16. RememberMe cookies should not include user/password information in any form
  17. $_GET, $_POST, $_REQUEST, $_FILES and $_COOKIE are untrusted
  18. HTTP headers and related $_SERVER data are untrusted
  19. $_REQUEST creates attack vector confusion by obfuscating the input source
  20. For MySQL, use quoted strings. MySQL type casts according to table column
  21. Automate injection defense by using prepared statements. PDO or mysqli
  22. Avoid manual quoting if possible – For dynamic column selection, use column white lists
  23. Remove dangerous functions from user execution (shell_exec(), exec(), etc.. )
  24. Do not use preg_replace() with unsanitized user input to avoid eval() calls
  25. Avoid HTML tags in untrusted user output
  26. When HTML tags must be used with untrusted user data, use HTMLPurifier
  27. $_FILES['filename']['type'] is untrusted

Secure Session Management Checklist

  1. Begin Session with SSL connection
  2. Check your session management configuration
  3. Enable a highly unpredictable session ID
  4. Verify that session IDs were actually generated by your server
  5. Enable HTTP Only and Secure Cookies via PHP
  6. Enable secure login over SSL
  7. Always regenerate a session ID on successful authentication
  8. Force users to re-authenticate with password over SSL on any critical actions
  9. Always regenerate a session ID on privilege elevation
  10. Store all session data in server session array only
  11. Make logout option available on every page
  12. Upon logging out, explicitly destroy all user session data on the server
  13. Force expiration of session cookies on the server
  14. Explicitly and immediately destroy session on suspicious activity
  15. Use only cookies for session ID transmission

Additional PHP Security Checklist

  1. Employ a high encryption strength cost and update this cost periodically
  2. Assist the user in avoiding weak passwords with a strength meter
  3. Encrypt sessions, encrypt user data
  4. Encode Header/Metatag Content-Type: as UTF-8
  5. Remove invalid UTF-8 characters from input through iconv()
  6. To filter/validate input: white list, typecast, escape or convert input
  7. To preserve output – escape with correct character set
  8. Use HTTP GET for read requests
  9. Use HTTP POST with authentication tokens for write modification requests
  10. Add high quality CSRF tokens to all forms
  11. Escape output according to context – HTML, URL, JavaScript
  12. Remove newlines from untrusted user input for email From: and Subject: headers
  13. Prevent information disclosure to users – Do not reflect SQL or file path errors, etc…set display_errors=0, log_errors=1, discontinue use of die(“error”);
  14. Disable dangerous PHP functions

Disable Dangerous PHP Functions

Purchase on Amazon

Certain functions are very dangerous when executed with untrusted input. Disabling these is highly recommended, especially in a shared environment. In php.ini, set disable_functions to the functions needing to be disabled. If a function is required, remove the name from the list. Example:

disable_functions =eval, exec,passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_ exec, parse_ini_file ,show_source