Hi, Owasp has some cheat sheets for hardening PHP configurations, https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html
you can combine it with httpd which would run the php app and website inside a chroot jail, you can also review the php application for the functions that it uses and then disable any functions not required by the php application (care needs to be taken with obfuscated / encoded website applications) you can also restrict the extensions that you dont need to reduce the attack surface.. You can also do limits on the sizes of post / upload size (if they are needed or not) .. you can also restrict HTTP methods (for instance in a CMS site that doesnt require updates / login publically (and allow posts from specific Ips ) I hope this helps On Thu, 10 Mar 2022 at 00:17, <i...@tutanota.com> wrote: > Hi all, > > I have done a lot of coding in PHP over the years, but have only > recently had a change to look deeper into the language in order to look > at some of the C coding and see how security and bugs are handled. Of > course this has been very eye opening and I am shocked at how many > confirmed security bugs just stay dormant without being fixed for > more than a decade. This seem to mainly be because PHP is such a huge > pile of crap mixed together. In several cases the developers simply > cannot see how a serious security bug can be fixed because it will > cause a cascade of problems elsewhere - so they leave it. Then when you > do coding in PHP, you have to be an expert in "PHP problems" in order > to avoid all of that. > > I considering abandoning all future work with PHP and perhaps only do > projects in Go instead, but I haven't had the time to compare how > serious security is taken in Go. I would suspect a lot better (simpler > language, daily usage by Google and many other big companies, > involvement of Ken, Rob, and others), but that is just assumptions. Any > advice on that? > > I know how OpenBSD chroots the webserver and thereby PHP too, but I > need advice on how to harden a PHP server further. I only run > production servers on OpenBSD. > > On a higher level there is "disable_functions" and "disable_classes", > an internal feature of PHP, but its a blacklist, and PHP has about a > gazillion functions. Furthermore, it doesn't make a lot of sense to me > since it's possible to use even basic functions such as "require" or > "include", for remote code execution in the form of local file include > and remote file include vulnerabilities. If you need to disable all the > dangerous functions, you can hardly use PHP. And then.. its on the PHP > level, sooo. But maybe every little bit counts? > > Anyway, what are you guys doing if you're running PHP in production on > OpenBSD? Besides from NOT running PHP in production at all. > > Kindest regards. > > -- > Sent with Tutanota, the secure & ad-free mailbox. > -- Kindest regards, Tom Smyth.
