As I mentioned in my last video tutorial on AMFPHP, I want to take a few minutes and talk about the steps you can take to make it as secure as possible. Most of what I’m going to share was taken from a blog post written by Wade Arnold. One important thing to note right off the bat is that I will be talking about security as it relates to AMFPHP 1.9 and higher. If you are using an earlier version you will want to check elsewhere for the details for you specific version. So without further adieu, here are the steps to better AMFPHP security:
Delete the Service Browser
If you’ve watched my tutorials you know that the Service Browser is that Flex application that allows you, or anyone else for that matter, to see all of the services and methods you have available. For obvious reasons you will want to delete this on your production machine. You don’t want random people seeing all the goodies that you have exposed. To get rid of it simply delete the browser folder that is located in your AMFPHP root directory.
Delete the DiscoveryService service
The DiscoveryService service is included when you install AMFPHP. When you go to the Service Browser for the first time you will see it as the one and only service. This service exposes methods that give all the details about the services and methods you have available. In that sense it is very much like the Service Browser itself and should be deleted for the same reasons. From your AMFPHP root directory, go into the services folder. From there either delete the entire amfphp folder or just the DiscoveryService.php file which is located inside of it.
Set the PRODUCTION_SERVER property
The PRODUCTION_SERVER property is located in the gateway.php file which is located in the root AMFPHP folder. This property is set to false by default but should be set to true in production environments. This will disable things like remote tracing and debugging headers. Open gateway.php and set the property like so:
Run over SSL if possible
I’m definitely not a server geek so don’t ask me how you would do this. But the idea is that the data going back and forth between Flash and AMFPHP will not be plain text and this would of course make it much harder for people to be able sniff out the actual data.
Running the beforeFilter
In AMFPHP 1.9 there is a new feature which will allow you to authenticate the calling client to make sure they have the right access level to call the service. Basically you define a function in your service class named beforeFilter using the signature below:
public function beforeFilter($function_called)
This function will be called before your service method which was called by the client. If this function returns true, then the service method is called. If not, then a security error is thrown. It is inside this function that you can do some type of authentication. Joshua Ostrom has a nice blog post that goes into more details on this.
General PHP security
Since AMFPHP and all of the services you expose with it are nothing more than PHP files, you will want to familiarize yourself with some basic PHP security guidelines. Preventing SQL injection is one of the biggest areas that you need to make sure you protect against. There are many good articles on the web that explain how to prevent this attack. If you do a lot of PHP work, do yourself a favor and pick up a book like Essential PHP Security to make sure that you are being safe.