Updated: 23 Dec. 2020

This article does not replace a good knowledge of security principles in PHP, but can give you some good advices that really boost security.
There will be nothing to copy/paste straight forward to your PHP files. But we believe that these tips and best practices will bring you long-term benefits if you understand and implement the different points according to your needs and context.

This article is the third of our series dedicated to PHP security. The first article gives you guidelines for PHP configuration, updates, data filtering and sanitization, as well as code organization.
The second article discusses protections against known and common attacks.

We will now take a look at file uploads, CRSF, cookies and security through obscurity.

Updated: 23 Dec. 2020

This article does not replace a good knowledge of security principles in PHP, but can give you some good advices that really boost security.
There will be nothing to copy/paste straight forward to your PHP files. But we believe that these tips and best practices will bring you long-term benefits if you understand and implement the different points according to your needs and context.

This article is the second of our series dedicated to PHP security. The first article “How to Protect Your Website: PHP Security Tips and Tricks #1” gives you basic guidelines for PHP configuration, updates, data filtering and sanitization, as well as code organization.

We will now look at common hacking attacks against PHP websites and how to defend yourself against them.

Updated: 1 Dec. 2020

PHP remains the most popular server-side programming language: it is used by almost 80% of websites (source). This language continues to be developed, and PHP 8 was released last week ! This version brings new features and should enhance security.

However, the security of PHP builds up from its ‘historical’ core features. The following article does not replace a good knowledge of PHP, and there will be nothing to copy/paste directly into your files. But we believe that these tips and best practices will bring you long-term benefits if you understand and implement the different points according to your needs and context.

Today we cover PHP configuration, updates, code organisation and data filtering/escaping.

What is 2FA

Two Factor Authentication (2FA) is a way to strengthen users authentication.
A good example is when you want to trigger a bank transfer from your bank website: depending on your bank, you may receive a text message on your mobile phone, containing a code that you must put back on the website to confirm the transfer.

The second factor can be a phone, a physical object in your possession, some physical characteristic (biometrics) or a secret that only you know.

A 2FA process comes with some disadvantages: it makes the authentication process more complex, and the second factor has to be “available”, which can be a problem with a mobile. Flat battery, bad network coverage or any other hazard can prevent the process from working properly.

Sometimes security can represent a heavy investment in terms of web development.
But there are some tiny adjustments that you can implement on your website that will help you making substantial progress in security. In fact these adjustments are really small in terms of code and configuration, but have a significant impact that requires proper analysis and validation before being implemented.
Here is how HTTP headers can help you in your security efforts.

Better than just rewriting technical specifications and explaining all the details of these HTTP headers, we will focus on giving you a synthetic analysis and a list of interesting links you would like to browse if you need further details.
One important thing to keep in mind is that these headers have an impact on the browser side. They control how web browsers must behave (if they implement the corresponding functionalities). They do not modify the server’s behavior.

We’ve been hearing a lot of things about HTTPS during the past months, and the Heartbleed “bug” has its responsibility in that phenomenon.
There was a time when HTTPS was dedicated to highly sensitive transactions, like banking transactions.

Now HTTPS is considered mandatory as soon as a user is authenticated on a website, in order to protect his web session and connection credentials.

What is HTTPS?

HTTPS is nothing more than HTTP, the Internet protocol used to exchange data between a server and a client (web browser) on which we add a security layer.
HTTP is not a secured protocol: it has been designed in a pure functional objective without taking any security constraint into consideration.

So we add a security layer to HTTP. To be more accurate, we encapsulate HTTP into a secured connection.

This flaw is ranked #10 on the OWASP Top 10. It is the last one of the top 10, so it is not the most “important” but is doesn’t mean we can ignore it, quite the contrary.
This vulnerability empowers phishing attacks. It helps attackers gaining the trust of their victims.
In some cases, it also helps attackers accessing resources their should not be able to access.

How does this flaw work?

Still in our series of articles about web vulnerabilities, this 6th episode is about Sensitive Data Exposure.
As usual, we won’t dive into the highly technical details here (this would require several pages) and won’t therefore discuss cryptography.
This type of vulnerability is ranked number 6 on the OWASP Top 10 2013. These vulnerabilities are usually quite difficult to exploit by hackers, but the impact being really severe, it is very important to properly understand them and make appropriate choices in the application architecture.