12

Is there a way to encrypt or enclose my code on my Linux server after deployment? I know Zend does some kind of encryption, right? Is that what people use? Is this even possible? How do I go about keeping my code secure online?

Gumbo
  • 643,351
  • 109
  • 780
  • 844
rockstardev
  • 13,479
  • 39
  • 164
  • 296
  • Don't allow others to access your server if you don't trust them? Make the program secure, so "hackers" can't access files they shouldn't, and make sure only people you trust can access the server directly. – gen_Eric Mar 22 '12 at 16:42
  • 3
    Code encryption is really for people who sell their web software as a product. If you are deploying on your own server, then by all means encrypt, but it's not usual practice - just secure your server. – halfer Mar 22 '12 at 16:45

3 Answers3

20

You are right, you can use Zend Encoder, Ion Cube or something like Source Guardian to encrypt your source code.

Its not really needed unless you are giving away your code and dont want people to steal it though.

What is it about your server that you think its insecure?

472084
  • 17,666
  • 10
  • 63
  • 81
  • Could go the Facebook route and PHC/HipHop it; gets you the advantages (and drawbacks) of compiled code then - faster but harder to maintain as you need to recompile to patch it. – CD001 Mar 22 '12 at 16:48
  • 2
    @RD. then again the best web site administrators are paranoid! – Blindy Mar 22 '12 at 18:10
5
  1. Periodically check the open ports on you server
  2. Do not trust the data coming from the browser - verify it and validate it.
  3. Periodically do an audit of the processes on your machine and who can access them
  4. Only have files in the document root that should be accessible by the outside world. Include files etc should not exist here
  5. Check the log files periodically to check for suspect access.
  6. For PHP errors/warnings - find a mechanism that does not give the client (browser) any info what has gone wrong. Send that to yourself. This is true for MySql as well.
Ed Heal
  • 59,252
  • 17
  • 87
  • 127
2

If the file-system on your server has been compromised, then all is already lost. The best you can do is restrict folders, which are writable by web-server's user.

Also keep the application code outside the DOCUMENT_ROOT. Publicly available should only be the file you actually intend to show user, or which would not show any sensitive informations: like an index.php file which contains and include ../app/bootstrap.php .

You could use Zend Guard, but this would impact owner of the code. You might not be always the one maintaining it.

tereško
  • 58,060
  • 25
  • 98
  • 150