Considerations when securing PHP application

Transcript

1. Securing your PHP application Chencha Jacob August 4, 2015 1

2. Basics Basics Authentication - Minimum length password - Combination characters

   passwords - Don t store in session - Hash Bcrypt - Salt - Expiring passwords - 2 step authentication 2

3. Errors Errors - Make sure errors disabled - Make sure

   errors logged 3

4. Servers Servers - Don t put application files in public

   folder - Turn off execution on all files except your index file on public folder - Make sure server is in a secure location 4

5. Variables Variables - Glean all globals _GET, $_POST, $_COOKIE, and

   $_REQUEST - Be wary of automatically set variables as well $_SERVER, $_ENV - Be aware of incoming data with executable code - Make generous use of *filter_var* function - Watch out for extreme input values - Verify that the encoding is what you expect. Preferrably limit to UTF-8 5

6. XSS XSS - Sanitize all incoming html and css -

   validate all urls to ensure only safe protocols 6

7. Files Files - Don t trust self declared *mime* type

   - Verify size before accepting. This should preferably happen on many levels - Avoid code files *php* *js* *net* etc 7