Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Considerations when securing PHP application

Considerations when securing PHP application

Notes from PHP Meetup held at UX Lab August 2015

Jacob Chencha

August 04, 2015
Tweet

More Decks by Jacob Chencha

Other Decks in Technology

Transcript

  1. Basics Basics Authentication - Minimum length password - Combination characters

    passwords - Don t store in session - Hash Bcrypt - Salt - Expiring passwords - 2 step authentication 2
  2. Servers Servers - Don t put application files in public

    folder - Turn off execution on all files except your index file on public folder - Make sure server is in a secure location 4
  3. Variables Variables - Glean all globals _GET, $_POST, $_COOKIE, and

    $_REQUEST - Be wary of automatically set variables as well $_SERVER, $_ENV - Be aware of incoming data with executable code - Make generous use of *filter_var* function - Watch out for extreme input values - Verify that the encoding is what you expect. Preferrably limit to UTF-8 5
  4. XSS XSS - Sanitize all incoming html and css -

    validate all urls to ensure only safe protocols 6
  5. Files Files - Don t trust self declared *mime* type

    - Verify size before accepting. This should preferably happen on many levels - Avoid code files *php* *js* *net* etc 7