100 Hal Penting Untuk Membuat Website PHP Aman dari Serangan

100 Hal Penting Untuk Membuat Website PHP Aman dari Serangan

Banyak sekali hal yang harus diperhatikan oleh seorang programmer web, khusunya programmer PHP untuk membuat sebuah aplikasi atau website yang baik. Salah satu faktor penting yang harus diperhatikan namun kadang diabaikan yaitu masalah security atau keamanan.

Ilustrasi Pengamanan (Foto: designrshub.com)

Tidak mudah untuk membuat aplikasi website yang bebas celah dan bebas serangan peretas, karena seperti yang kita ketahui bersama bahwa “tidak ada sistem yang sempurna”. Meskipun begitu, bukan berarti masalah keamana bisa diabaikan, setidaknya sang programmer bisa meminimalisir hal-hal yang bisa membahayakan apa yang telah dibuatnya.

Berikut ini adalah 100 poin yang setidaknya harus dilakukan oleh seorang programmer untuk membuat aplikasi yang aman / secure, meskipun ini tidak membuat 100% aman.

Basic

Berikut ini adalah hal-hal dasar seputar keamanan yang harus diperhatikan ketika membuat web / aplikasi dengan PHP

• Strong passwords are used.
• Passwords stored safely.
• register_globals is disabled.
• Magic_quotes is disabled.
• display_errors is disabled.
• Server(s) are physically secured.

Input

Ketika website atau aplikasi yang dibuat melibatkan form untuk menginput data, maka harus memperhatikan hal-hal berikut ini agar segala sesuatunya aman.

• Input form $_GET, $_POST, $_COOKIE and $_REQUEST is considerend tainted.
• Understood that only some values in $_SERVER and $_ENV are untainted.
• $_SERVER['PHP_SELF'] is used where used.
• Input data is validated.
• \o (null) is discardedin input.
• Length of input is bounded.
• Email addresses are validated.
• Application is aware of small, very large, zor and negative numbers. Sci. notation too.
• Application checks for invisible, look-alike, and combining characters.
• Unicode control characters stripped out when required.
• Output data is sanitized.
• User-inputted HTML is sanitized with HTMLPurifier.
• User-inputted CSS is sanitized using a white-list
• Abusable properties (margin, position, etc.) are handled.
• CSS escape sequences are handled.
• Javascript in CSS is discarded (expressions, behaviors, bindings.)
• URLs are sanitized and unknown and unwanted protocols are disallowed.
• Embedded plugin files (Flash Movies) are embedded in a manner so that only the intended plugin is loaded.
• The application uses a safe encoding.
• An encoding is specified using a HTTP header.
• Inputted data is verified to be valid for your selected encoding if using an unsafe encoding.

File Uploads.

Ketika website yang dibuat dengan PHP melibatkan gambar atau file yang akan di input, maka agar aman perlu diperhatikan hal-hal berikut.

• Application verifies file type.
• User provided mime type value is ignored.
• Application analyzes the content of files to determinie their type.
• It is understood that a perfectly valid file can still contain arbritrary data.
• Application checks the file size of uploaded files.
• MAX_FILE_SIZE is not depended upon.
• File uploads cannot “overtake” avaible space.
• Content is checked for malicious content.
• Application uses a malware scanner (if req.).
• Uploaded HTML files are displayed securely.
• Uploaded files are not moved to a web-accessisble directory.
• Extensive path checks are used when serving files.
• Uploaded files are not served with include().
• Uploaded files are served as an attachment using the Content-Disposition header.
• Application sends the X-Content-Type-Options: nosniff header.
• Files are not not served as: (Unless necessary)
• "application/octet-stream"
• "application/unknown"
• "plain/text"

Database

Database merupakan sasaran utama para peretas, karena pada bagian inilah informasi penting tersimpan, untuk itu ketika website melibatkan database, perhatikan hal berikut.

Data inserted into the database is properly escaped or parameter/prepared statements are used.

addslashes() is not used.

Application does not have more privileges to the database then necessary.

Remote connections are disabled if they are unnecessary.

Serving files

Ketika website melayani servis file, maka perhatikan hal-hal berikut agar website aman dari orang yang tidak berhak mengakses.

• User input is not directly used in a pathname.
• Directory traversal is prevented.
• Null (\o) in paths are filtered.
• Application is aware of “:”
• PHP streams are filtered.
• Access to files is not restricted by hiding the files.
• Remote files not included with include().

Authencation

Ketika aplikasi atau web membutuhkan halaman yang hanya boleh diakses oleh orang tertentu yang bisa dipercaya, maka perlu proses authentication yang ketat, berikut poin-poin nya.

• Bad password throttling.
• CAPTCHA is used.
• SSL used to prevent MITM.
• Passwords are not stored in a cookie.
• are hashed.
• Per-user salts are used.
• bcrypt() is used with sufficient number of rounds.
• MD5 is not used.
• Users are warned about obvious password recovery questions.
• Account recovery forms do not reveal email existence.
• Pages that send emails are throttled.

Sessions

Session biasanya digunakan untuk mengatur apakah seseorang boleh untuk mengakses halaman tertentu atau tidak, session juga di gunakan untuk menyimpan data-data penting yang diperlukan oleh website, jadi perlu diamankan dengan memperhatikan hal berikut.

• Sessions only use cookies. (session.use_use_only_cookies).
• On logout session data is destroyed.
• Session is recreated on authorization level change.
• Sites on the same server use different session storage dirs.
• 3th-party

Bantuan pihak ketiga yang perlu juga untuk diperhatikan oleh programmer PHP adalah berikut ini.

• issues are prevented with tokens/keys.
• Referrers are not relied upon.
• Pages that perform action use POST.
• Important Pages (logout, etc.) are protected.
• Your pages are not written in a way (i.e. JSON, JS-like) where they can be included and read on a remote website successfully.
• Aware that Flash can bypass referrer checks to load images and sound files.
• The following things will not reveal significant information if included remotely:
• Images.
• Pages that take a longer time to load.
• CSS files.
• Existence or ordening of frames.
• Existence of a JS variable.
• Detected visit of a URL.
• Inclusion of your website in an inline frame with JS disabled does not reveal a threat.
• Application uses frame bursting code and sends the X-Frame-Options header.
• Miscellaneous

Hal-hal umum lain yang perlu untuk diperhatikan terkait pembuatan website dan aplikasi berbasis PHP

• A crypthographically secure PRNG is used for secret randomly-generated IDs (activation links, secret IDs? etc.).
• Suhosin is installed or you are not using rand() for this.
• Anything that consumes a lot of resources should be throttled and limited.
• Pages that use 3th-party APIs are throttled.
• You did not create your own encryption algorithm.
• Arguments to external programs (i.e. exec()) are validated.
• Generic internal and external redirect pages are secured.
• Precautions taken against the source code of you PHP pages being shown due to misconfiguration.
• Configuration and critical files are not in a web-accessible directory.

Shared Hosting

Ketika website yang dibuat dengan PHP di taruh di shared hosting, maka ada hal-hal yang perlu diperhatikan agar website bisa aman. Shared hosting berarti website ditaruh di server yang sama dengan website-website lain yang jumlah nya sangat banyak, website lain kena serangan, maka website kita bisa kena juga.

• Using a secure shared host where users connot access the files of other users.
• Aware that fellow shared hoting users:
• Can, if on the same IP address, issue requests against your site with XMLHttpRequest in IE6.
• Can access your website form 127.0.0.1 or ::1.
• Can host a server on the same IP address.
• Are not “remote” as far as your DB is concerned.
• Session & file upload directories are not shared.

Itulah berbagai hal yang perlu diperhatikan ketika membuat website dengan PHP, wah banyak sekali ya, layaklah seharusnya seorang programmer web dibayar sangat mahal ;)