Essential Web Application Security Checklist: From Input Validation to Server Hardening

1. Form Testing

Test for blank characters, control characters, non‑alphabetic data (e.g., symbols), overly long input (>256 characters), spam comments, binary data, various encodings (ASCII, UTF‑8, hex, octal), SQL injection, XSS, and enforce length limits, single‑recipient email sending, and proper error handling.

2. System Calls

Avoid using sudo in production, escape commands with escapeshellcmd() and escapeshellarg(), and wrap system functions (exec, system, backticks) in safe APIs that accept only validated parameters such as filenames.

3. Buffer Overflow

When a program loads into memory, the stack grows upward; if input exceeds the allocated buffer, it overwrites adjacent memory, including return addresses, potentially injecting malicious code.

4. Password Strength

Avoid dictionary words, use mixed case and symbols, length >6‑8 characters, provide password hints, rotate passwords regularly, store them encrypted, secure the password database, and use verification codes for email‑based account creation.

5. Session Security

Address session fixation, hijacking, and poisoning.

6. Common Web Vulnerabilities

Mitigate XSS (use htmlspecialchars, strip_tags), SQL injection (use mysqli_real_escape_string, addslashes), CSRF, backdoors, dangerous scripts (e.g., phpinfo), remote file inclusion (disable allow_url_include), admin panel exposure, and enforce proper authentication.

7. Apache Configuration

disable_functions = phpinfo,gzcompress,apache_note,apache_setenv,proc_get_status,exec,passthru,proc_nice,proc_open,proc_terminate,shell_exec,system,popen,ini_restore,syslog,define_syslog_variables,symlink,link,error_log,leak,dbmopen,openlog,closelog,popen,pclose,stream_socket_server

Hide version and HTTP headers (ServerSignature Off, ServerTokens Prod, expose_php = Off), prevent directory traversal, restrict <Directory> access, disable unnecessary modules, and optionally use ModSecurity.

8. MySQL Hardening

Disable remote access or restrict to specific IPs, rename the root user and set a strong password, create dedicated accounts with minimal privileges per application, and remove unused accounts and databases.

9. PHP.ini Settings

Enable safe_mode, safe_mode_gid, configure open_basedir, safe_mode_exec_dir, disable expose_php, register_globals, session_cookie_lifetime, display_errors, and restrict remote file access.

10. Fuzz Testing

Use tools such as PowerFuzzer and CAL9000 for comprehensive fuzz testing.