1

I'm developing a website that will be accessible from LAN only. I still wish to make it as safe as possible.

From web point of view, is it enough to add SESSION check to every PHP file, use prepared mysqli statements and use HTTPS?

I will be more specific:

I'm checking every PHP page with this:

if(!isset($_SESSION['login']) || $_SESSION['UA'] != $_SERVER['HTTP_USER_AGENT'] || $_SESSION['IP'] != $_SERVER['REMOTE_ADDR'] || time() - $_SESSION['timeout']>=600){
session_unset();
session_destroy();
header('Location:index.php');

I also regenerate session ID on every page, just to be sure. So I'm checking user's user agent, IP address, activity timeout and a session variable "login".

For mysql connection I mostly use prepared statements (mysqli) for security and performance, in cases I don't or can't use prepared statement, I always do real_escape_string() when dealing with client data.

I will also allow HTTPS only, with checking $_SERVER['HTTPS'] = "on".

The server is never setting any cookies, except PHPSSID.

Is this all I can do to make my website secure, or is there anything else? I found bits and pieces all over the web how to secure a website, but nothing on one place, so that's why I'm asking here.

4

4 回答 4

1

A better site for this question may be https://security.stackexchange.com/

Although your LAN web server would be safer know that it's not bulletproof. Your client machines could be one of the major vectors for insecurity in a LAN environment especially if they also can access and are exposed to the outside internet. Leaving them open to things like network eavesdropping or Man-in-the-middle attacks.

Here is A Guide to Building Secure Web Applications and Web Services

于 2012-10-31T14:47:52.270 回答
0

您应该减少攻击面。

看起来您有 PHP 文件处于打开状态以供请求。对于您知道的文件,您可以在上面写一个代码块来“保护”它们。

而是将所有这些移动到一个私有目录中,并且在 webroot 中只有一个入口点,例如index.php. 由于这是唯一一点,您可以验证是否应在中心位置允许请求。这意味着您不能忘记要保护一个文件,如果您想添加额外的检查,您可以在一个地方改善情况。

使用 PHP 文件 (Apache HTTPD) 的示例配置:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>

在 PHP 脚本中,您可以通过使用 和 等特殊变量来获取 URI/ $_SERVER['REQUEST_URI']URL$_SERVER['QUERY_STRING']

于 2012-10-31T15:29:45.240 回答
0

确保验证用户提供的尽可能多的数据,以确保它是有效的或用户应该给你的东西,如果你必须重新显示他们给你的数据或其他人给你的数据(即你将它存储在db 供以后使用)然后确保使用 htmlenties 来制作它,这样 JavaScript 就不会在数据中工作。如果您将他们的数据放在 javascript 中,那么请改用 addlashes。你说的很多也很好。

作为一个随机附注,我会验证他们给你的会话 id 是一个有效的会话 id,即 ^[a-zA-Z0-9]{26,40}$

于 2012-10-31T13:55:43.907 回答
0

在您的 Web 服务器配置中,您可以阻止所有不是来自您的 LAN 的请求,作为额外的预防措施。

除此之外,它似乎绰绰有余。

于 2012-10-31T13:49:53.307 回答