More about Blackfire’s Security and Quality Recommendations

Quality recommendations aim specifically at making sure that your are pushing the right configuration in production. When it comes to security, the real power of Blackfire is that it prevents you from ever pushing unsecure code to production.

Share this:
Click to share on Twitter (Opens in new window)
Click to share on Reddit (Opens in new window)
Click to share on Facebook (Opens in new window)
Click to share on LinkedIn (Opens in new window)
More
Click to email a link to a friend (Opens in new window)
Click to share on Pinterest (Opens in new window)
Click to share on Pocket (Opens in new window)
Click to share on Tumblr (Opens in new window)

By Christophe Dujarric, on Apr 12, 2018

Following up on great start for the release of the Quality and Security add-ons, here is more information about what they contain.

Quality recommendations

Quality recommendations aim specifically at making sure that your are pushing the right configuration in production.

A configuration check example

We have many checks that ensure that your php.ini settings are optimal. Here is one:

‘session.auto_start is resource-hungry and should not be enabled’:
       unless: ‘not has_configuration(“session_auto_start”)’
       assertions:
           - ‘runtime.configuration.session_auto_start === false’

Checking Symfony polyfills usage

Symfony polyfills enable projects to use functions from newer versions of PHP than the one running on your servers or implement some PHP extension features. For instance, you can use PHP 7.2 functions even if you’re still on PHP 5.6. Blackfire detects this situation and recommend to upgrade your PHP version or install the relevant PHP extensions: Native iconv extension should be used instead of Symfony polyfill, Upgrade PHP runtime instead of using Symfony PHP 7.2 polyfill.

Security recommendations

Having Blackfire let you know about bad practices when your code is deployed to production is very helpful. Some configuration may indeed make sense when you’re in development, but should be updated once you move to production. But when it comes to security, the real power of Blackfire is that it prevents you from ever pushing unsecure code to production. Blackfire checks the version of your Composer dependencies and alert you if some contain known security issues.

Checking for the optimal security configuration

Some other configuration checks that can have bad consequences:

display_errors should be disabled: The display_errors ini setting, when enabled, displays the full contents of the PHP errors, which can leak sensitive information.

expose_php should be disabled: By unveiling your PHP version, you might let malicious users exploit known vulnerabilities for your PHP version.

Most of you might think they would never enable such settings in production. You would be surprised. From a configuration mistake to temporary changes that were never reverted, Blackfire gets you covered.

If you have an Entreprise subscription, you already get quality and security recommendations. For Profiler and Premium customers, enable the security and quality addons from your subscription page.

Happy performance, quality, and security checking,

Christophe Dujarric

Christophe is the Chief Product Officer at Blackfire. He's an engineer, but probably one of the least "tech" people in the company. He's wearing many hats, from product management to marketing and sales. He loves the beauty of simple solutions that solve actual problems.