The Ultimate PHP Security Checklist

Man, security is hard. It’s not always obvious what needs doing, and the payoffs of good security are, at best, obscure. Who is surprised when it falls off our priority list?

This security checklist aims to give developers a list of PHP security best practices they can follow to help improve the security of their code.

Here is a selection of some of the PHP security checklist items (Read the full checklist here)

Filter and Validate All Data

Regardless of where the data comes from, whether that’s a configuration file, server environment, GET and POST, or anywhere else, do not trust it. Filter and validate it! Do this by using one of the available libraries, such as zend-inputfilter.

Read more:

• Validation in Zend Framework
• Validation in Symfony
• Validation in Laravel

Use Parameterized Queries

To avoid SQL injection attacks, never concatenate or interpolate SQL strings with external data. Use parameterized queries instead and prepared statements. These can be used with vendor-specific libraries or by using PDO.

Learn more:

• Prepared statements and stored procedures in PDO
• Mysqli Prepared Statements
• The PostgreSQL pg_query_params function

Set open_basedir

The open_basedir directive limits the files that PHP can access to the filesystem from the open_basedir directory and downward. No files or directories outside of that directory can be accessed. That way, if malicious users attempt to access sensitive files, such as /etc/passwd, access will be denied.

Read more:

• open_basedir configuration directive
• PHP Filesystem Security
• Isolated Execution Environments by DigitalOcean

Check Your SSL / TLS Configurations

Ensure that your server’s SSL/TLS configuration is up to date, correctly configured, and isn’t using weak ciphers, outdated versions of TLS, valid security certificates without weak keys, etc., by scanning it regularly.

Read more:

• SSL Labs
• Observatory by Mozilla

Connect to Remote Services With TLS or Public Keys

When accessing any database, server, or remote services, such as Redis, Beanstalkd, or Memcached, always do so using TLS or public keys. Doing so ensures that only authenticated access is allowed and that requests and responses are encrypted, and data is not transmitted in the clear.

Read more:

• Public Key Infrastructure and SSL/TLS Encryption
• What is SSL, TLS and HTTPS?
• SSL vs. TLS - What’s the Difference?

Do Not Send Sensitive Information in Headers

By default, PHP will set his version number in the HTTP headers. Some frameworks may do the same as well.

Read more:

• Hide PHP and Apache informations from HTTP headers

Log All the Things

Regardless of whether you’re logging failed login attempts, password resets, or debugging information, make sure that you’re logging with an easy-to-use, mature package, such as Monolog.

Read more:

• Monolog
• PHP Logging Basics

Have a Content Security Policy

Whether you have a one page, static website, a large static website, or a sophisticated web-based application, implement a Content Security Policy (CSP). It helps to mitigate a range of common attack vectors, such as XSS.

Read more:

• Content Security Policy (CSP) via MDN web docs
• Content Security Policy (CSP) via the Google Chrome extensions documentation
• CSP Evaluator
• Content Security Policy (CSP) Validator
• Easily add a Content Security Policy with Sqreen

Enjoyed this list? Check out the full checklist here