OWASP Php
Main
TeamLead: Dan Ehrlich Lead: Dan Ehrlich Please email [email protected] if you would like to help out. Please email [email protected] if you would like to help out.
MetaMetaLast Updated: 01/2019 Last Updated: 01/2019
Other ResourcesOther ResourcesUltimate 2018 PHP Security Guide Ultimate 2018 PHP Security Guide Related ProjectsRelated Projects |
</table>
PHP Security Overview
PHP Security Overview
It is not easy to produce a PHP application without security It is not easy to produce a PHP application without security vulnerabilities. Most application security vulnerabilities. Most application security vulnerabilities apply to PHP vulnerabilities apply to PHP applications just like other environments. applications just like other environments.
The goals of this project are to provide information about building, The goals of this project are to provide information about building, configuring, deploying, operating, and maintaining secure PHP configuring, deploying, operating, and maintaining secure PHP applications applications
- [PHP Security for
- PHP Security for Developers Developers](PHP_Security_for_Developers “wikilink”) * This section covers dangerous calls and common vulnerabilities * This section covers dangerous calls and common vulnerabilities associated with them, such as system() exec(), eval() and so on. associated with them, such as system() exec(), eval() and so on. This section will also cover standard security mechanisms available This section will also cover standard security mechanisms available in the standard language, such as cryptography, logging, encryption, in the standard language, such as cryptography, logging, encryption, and error handling. Securing elements of an application, such as and error handling. Securing elements of an application, such as controllers, business logic, and persistence layers will be covered. controllers, business logic, and persistence layers will be covered. We’ll discuss handling request parameters, encoding, injection, and We’ll discuss handling request parameters, encoding, injection, and more. more. * CONFIG * CONFIG * CODEBASE * CODEBASE
- [PHP Security for
- PHP Security for DevSecOps DevSecOps](PHP_Security_for_DevSecOps “wikilink”) * How to secure a PHP application when running on the major cloud * How to secure a PHP application when running on the major cloud providers. How to secure a PHP application if all you’ve got is an providers. How to secure a PHP application if all you’ve got is an unmanaged Linux server. Harden web server, harden database, and unmanaged Linux server. Harden web server, harden database, and various network defenses such as WAFs, GeoIP, and DNSBL. various network defenses such as WAFs, GeoIP, and DNSBL. * How to secure the development environment. Do you have control * How to secure the development environment. Do you have control over the Source code repository? Are commits signed? How do you know over the Source code repository? Are commits signed? How do you know which Docker Images to trust? Do you scan containers for which Docker Images to trust? Do you scan containers for vulnerabilities? vulnerabilities? * INFRASTRUCTURE * INFRASTRUCTURE * DEVELOPMENT * DEVELOPMENT
- [PHP Security for Software
- PHP Security for Software Architects Architects](PHP_Security_for_Software_Architects “wikilink”) * Provides information about the design and architectural * Provides information about the design and architectural considerations for a PHP web application. Which frameworks to use, considerations for a PHP web application. Which frameworks to use, which frameworks are dead, and using the various FIGs. which frameworks are dead, and using the various FIGs. * ARCHITECTURE * ARCHITECTURE
Pages
Pages
Resources
Resources
Awesome PHP [Awesome PHP Security](https://github.com/guardrailsio/awesome-php-security) Security
Libraries
Libraries
Google PHP recaptcha Google PHP recaptcha Paragonie Anti-CSRF Library Paragonie Anti-CSRF Library Enhanced BCrypt [Enhanced BCrypt Encryption](https://github.com/paragonie/password_lock) Encryption PHP GnuPG Emailer PHP GnuPG Emailer PHP CSP Builder PHP CSP Builder
Documents
Documents
OWASP PHP Top 5 OWASP PHP Top 5
Legacy Pages
Legacy Pages
The pages below are from 2005-2014 when this project was maintained by a The pages below are from 2005-2014 when this project was maintained by a different team. These pages have been kept so that no links are broken, different team. These pages have been kept so that no links are broken, and because there might be certain situations, particularly with and because there might be certain situations, particularly with extremely legacy apps, where their use might be appropriate. THere is extremely legacy apps, where their use might be appropriate. THere is great advice below, but be careful, there is also outdated advice as great advice below, but be careful, there is also outdated advice as well. well.
PHP Security for [PHP Security for Architects](https://www.owasp.org/index.php/PHP_Security_for_Architects) Architects PHP Security for [PHP Security for Developers](https://www.owasp.org/index.php/PHP_Security_for_Developers) Developers PHP Security for [PHP Security for Deployers](https://www.owasp.org/index.php/PHP_Security_for_Deployers) Deployers
PHP Configuration Cheat [PHP Configuration Cheat Sheet](https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet) Sheet PHP CSRF Guard PHP CSRF Guard Log Injection Log Injection
OWASP PHP Security [OWASP PHP Security Project](https://www.owasp.org/index.php/Projects/OWASP_PHP_Security_Project) Project OWASP PHP Security Project [OWASP PHP Security Project Roadmap](https://www.owasp.org/index.php/Projects/OWASP_PHP_Security_Project/Roadmap) Roadmap
OWASP RBAC [OWASP RBAC Project](https://www.owasp.org/index.php/Projects/OWASP_RBAC_Project) Project OWASP VaultDB [OWASP VaultDB Project](https://www.owasp.org/index.php/Projects/OWASP_VaultDB_Project) Project OWASP PHPRBAC [OWASP PHPRBAC Project](https://www.owasp.org/index.php/OWASP_PHPRBAC_Project) Project OWASP WebGoatPHP OWASP WebGoatPHP
Related Resources
Related Resources
Example
Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.