More about Blackfire’s Security and Quality Recommendations
Quality recommendations aim specifically at making sure that your are pushing the right configuration in production. When it comes to security, the real power of Blackfire is that it prevents you from ever pushing unsecure code to production.
Following up on great start for the release of the Quality and Security add-ons, here is more information about what they contain.
Quality recommendations aim specifically at making sure that your are pushing the right configuration in production.
A configuration check example
We have many checks that ensure that your
php.ini settings are optimal. Here is one:
‘session.auto_start is resource-hungry and should not be enabled’: unless: ‘not has_configuration(“session_auto_start”)’ assertions: - ‘runtime.configuration.session_auto_start === false’
Checking Symfony polyfills usage
Symfony polyfills enable projects to use functions from newer versions of PHP than the one running on your servers or implement some PHP extension features. For instance, you can use PHP 7.2 functions even if you’re still on PHP 5.6. Blackfire detects this situation and recommend to upgrade your PHP version or install the relevant PHP extensions:
Native iconv extension should be used instead of Symfony polyfill,
Upgrade PHP runtime instead of using Symfony PHP 7.2 polyfill.
Having Blackfire let you know about bad practices when your code is deployed to production is very helpful. Some configuration may indeed make sense when you’re in development, but should be updated once you move to production. But when it comes to security, the real power of Blackfire is that it prevents you from ever pushing unsecure code to production. Blackfire checks the version of your Composer dependencies and alert you if some contain known security issues.
Checking for the optimal security configuration
Some other configuration checks that can have bad consequences:
display_errors should be disabled: The display_errors ini setting, when enabled, displays the full contents of the PHP errors, which can leak sensitive information.
expose_php should be disabled: By unveiling your PHP version, you might let malicious users exploit known vulnerabilities for your PHP version.
Most of you might think they would never enable such settings in production. You would be surprised. From a configuration mistake to temporary changes that were never reverted, Blackfire gets you covered.
If you have an Entreprise subscription, you already get quality and security recommendations. For Profiler and Premium customers, enable the security and quality addons from your subscription page.
Happy performance, quality, and security checking,