More about Blackfire’s Security and Quality Recommendations

Quality recommendations aim specifically at making sure that your are pushing the right configuration in production. When it comes to security, the real power of Blackfire is that it prevents you from ever pushing unsecure code to production.

By Christophe Dujarric, on Apr 12, 2018

Following up on great start for the release of the Quality and Security add-ons, here is more information about what they contain.

Quality recommendations

Quality recommendations aim specifically at making sure that your are pushing the right configuration in production.

A configuration check example

We have many checks that ensure that your php.ini settings are optimal. Here is one:

Checking Symfony polyfills usage

Symfony polyfills enable projects to use functions from newer versions of PHP than the one running on your servers or implement some PHP extension features. For instance, you can use PHP 7.2 functions even if you’re still on PHP 5.6. Blackfire detects this situation and recommend to upgrade your PHP version or install the relevant PHP extensions: Native iconv extension should be used instead of Symfony polyfill, Upgrade PHP runtime instead of using Symfony PHP 7.2 polyfill.

Security recommendations

Having Blackfire let you know about bad practices when your code is deployed to production is very helpful. Some configuration may indeed make sense when you’re in development, but should be updated once you move to production. But when it comes to security, the real power of Blackfire is that it prevents you from ever pushing unsecure code to production. Blackfire checks the version of your Composer dependencies and alert you if some contain known security issues.

Checking for the optimal security configuration

Some other configuration checks that can have bad consequences:

display_errors should be disabled: The display_errors ini setting, when enabled, displays the full contents of the PHP errors, which can leak sensitive information.

expose_php should be disabled: By unveiling your PHP version, you might let malicious users exploit known vulnerabilities for your PHP version.

Most of you might think they would never enable such settings in production. You would be surprised. From a configuration mistake to temporary changes that were never reverted, Blackfire gets you covered.

If you have an Entreprise subscription, you already get quality and security recommendations. For Profiler and Premium customers, enable the security and quality addons from your subscription page.

Happy performance, quality, and security checking,

 

Christophe Dujarric

Christophe is the Product guy at Blackfire. He has been working in several start-up companies, helping them to make and sell products out of technologies. He’s involved in every step of the product’s lifecycle, from strategy to design and sales, and loves to coach on product management methods.