How to securely store the credentials in php files
Question
I know that my credentials could be stored in var/ directory but it doesn't feel right to me. How can I add an extra layer of security in order to keep the credentials safe?
1 answers
solution1
1 ACCPTED 2020-07-06 17:12:11
Credentials should be stored in a file. This could either be a php file, or a.env file for example.
Credentials can be stored in plain text.
Your first line of defense is to store these files in a folder which is not accessible through your webserver.
For example:
/home/you/www/public -> public files go here, e.g your index.php
/home/you/www -> all other files, including vendor libs etc, and your config files
(The public folder should be defined as your serving folder in your virtual host configuration)
Your second line of defense is happening on your system. For example, maybe you have a special user with a strong password for your specific site. Basically, in this second line of defense you really specify who can access your files, who has SSH Access, etc.
Your third line of defense is configuring your database correctly. You might only need to allow local access for example?
Now, your fourth line of defense is making sure your credentials are never ever ever printed in error messages or logs, especially not in errors to web users. Differentiate between develop and production status in your scripts.
And there's more (monitoring incorrect logins, fail2ban, etc), but these are the basics. Most of them are handled when you use a php framework, like Laravel. Laravel differentiates between public and non public, uses.env files, allows you to define production status, and will limit error output to users.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.