Checklist for Security of Your PHP Website
PHP DevelopmentThe biggest misfortune of PHP is being an open source and open platform technology, which is obviously dominating the web of today. It is grown, not deliberately engineered with the help of professionals including security experts.
It is flexible and easy to code even within HTML documents. Technically, PHP is a language as well as framework both and its vast developer community is adding libraries with each new version.
These all make it the most vulnerable web development language among the leading programming technologies. Therefore, PHP website owners are always under pressure to take security measures with enough attentions.
If you are one of them, we try to give you a highly useful cheat sheet or checklist to mitigate your security threats prior to taking place or harm you anyway in near future.
For better understanding, we have fragmented the entire cheat sheet in some logical sections, and its overview has given below.
Cheat Sheets
- Database Cheat Sheet
- Language Issues
- Framework Issue
- Configuration Cheat Sheet
- Untrusted data
- Injection
- XSS
- CSRF
- Authentication & Session Management
- Configuration and Deployment
Database Cheat Sheet
SQL injections are well known and favorite of the hacker community, so they always try to make your website database vulnerable through direct databases input methods such as authentication form, other forms, and their input fields. Their modus operand for compromising is to generate several error reports directly from databases and give an idea of the database structure. Once they succeed in it, they either delete your entire database or a portion of it. In some cases, hackers introduce a fatal code or malware into the database through SQL injections and accomplishing their bad intentions in smart ways like hacking or attacking other websites that can correspond with yours. The preventative measures for your database are:- Never concatenate or interpolate data in SQL
- Use custom 401 error messages instead of by default generated from your database
- Prevent manipulation of URL query string by using filters, input validation methods, or use wash & rinse cycle
- Never use escaping as it is not safe way
- Use prepared statement wherever possible
- You must use Object Relational Mappers (ORM), which is a good practice at security point of view, as it makes SQL inject tougher
- Only use UTF-8 charset for your database and mitigate some encoding issues upfront
Language Cheat Sheet
Inherently PHP has several language issues such as- Weak Typing: Try to use operators and functions, which are refraining from automatic conversions for incorrect type into expected type
- Exception & Error Handling: Error checking practices should add at each point, and database access should do by using PDO (PHP data objects). If possible use error_reporting function and never try to suppress error message instead follow it and make code robust
- PHP.ini: The behavior of PHP code often relying on configuration settings so make configuration with security concerns
- Unhelpful Built-Ins: Many built-in security functions prove buggy or useless so segregate them, deprecate, and finally remove it all
Framework Cheat Sheet
- URL Routing: URL routing mechanism is a built-in feature of PHP and uses accessing files ending with a .php extension. It may cause vulnerability of different types such as remote execution vulnerability, source code
- vulnerability, and authentication vulnerability so takes appropriate measures to mitigate it all
- Input Handling: PHP is not treating HTTP inputs as simple strings. Instead, it builds arrays from it at the control of client device. Therefore, be careful with HTTP inputs and handle them correctly
- Template Language: Although PHP is a template language, it misses HTML escaping by default and create several security problems including XSS
- Deficiencies: Being a rudimentary framework, PHP is not supplying CSRF protection mechanism by default and loose security when developers are fresh or less experienced in web development with other languages
Configuration Cheat Sheet
As we know well, that PHP.ini is deeply affecting the behavior of PHP through configuration settings and besides it, another security configuration option is SetHandler directive so use it instead of AddHnadler directiveUntrusted Data Cheat Sheet
User data in any form are untrusted and should be validated, filtered, and sanitize them. For instance, file uploads by users and super global including:- $_SERVER
- $_GET
- $_POST
- $_REQUEST
- $_FILES
- $_COOKIE
Injection Cheat Sheet (Other)
Besides SQL injections, some other injections are common in PHP and those are:Shell Injection
PHP has functions such as oshell_exec oexec opassthru osystem obacktick operator When users provide inputs to these functions shell injection can make your settings and configuration leak to hackers so never pass tainted inputs to these functions.Code Injection
PHP is an interpreted language, which has some functions that are accepting strings and run in the language. Among those function, eval() is one and make PHP vulnerable if used with insanities user inputs. Therefore, always avoid using the eval() function in code and save code injection. Fortunately, Addon Solutions is taking care of it as a leading PHP Application Development Company.XSS Cheat Sheet
Cross Site Scripting (XSS) is a type of injection where one site is used to send malicious code to another site successfully because the second site that is receiving code is considering the first site as trusted source and hackers leverage it to accomplish their bad ideas. Hackers use several methods for XSS, and you can mitigate those using following tricks.- No Tag: Apply ‘htmlspecialchars’ to the data each time
- Untrusted Tags: use secure encoding libraries
- Template Engines
CSRF Cheat Sheet
- It is true that most of CSRF attacks take place on GET, but it could be with POST too. Therefore add CSRF token everywhere including GET, POST, and cookies/HTTP Headers, etc.
- Employ re-authentication methods for critical operation where you need to change the username, password, and email as per needs.
- Using CAPTCHAS is a better prevention method, but you can implement it when only it is not intimidating UX of your site.
Authentication & Session Management Cheat Sheet
Unfortunately, neither PHP nor its frameworks are offering satisfactory authentication module. May be it is because PHP is open source and security experts are few as contributors. Therefore, it is good to implement own session mechanism and store data in the database only. Moreover, never use PHP functionality for session handling and make it safe.- We can prevent session hijacking phenomena by binding sessions to IP addresses. No doubt, TOR users may have trouble with it, but it is safe for you
- You must invalidate session ID when you observe any violation, and you can do it by unset cookies, session storage, and remove traces of a session
- You should roll session ID on each elevation occurs like user login
- You must not expose session ID anyhow and must not use URLs as a medium for session ID. It is better you transfer session ID over TLS particularly when it holds confidential info
- Invalidate session ID once users log in
- Sessions should expire once certain time of activities taken place or certain amount of inactivity
- Handle cookies in smart ways such as never serialize data store in cookies, make proper deletion of it, and try to use HTTP cookies only
- When use Remember Me feature on your site generate two tokens, a selector and a verifier and store both together in a remember me cookie
Configuration and Deployment Cheat Sheet
- Use Suhosin like patches to bring custom security flows
- Configure PHP.INI for