Suhosin, the Korean word for “Guardian Angel”, was designed to provide hardening security solutions for PHP, a web technology and programming language used by more than 80% of the worlds websites today.

Taking a dual pronged approach to security by providing both a patch as well as a PHP extension, with both parts working independently as well as in combination with one another, the Suhosin PHP hardening solution was written by a German organization called Sektion Eins.

Originally unveiled in October 2006 and continuously updated ever since, this PHP security extension provides individual website owners, web application developers, programmers, and server administrators the opportunity to dramatically overhaul the security of their PHP installation without having to handle a lot of the heavy lifting of writing code themselves.

Impressively, the Suhosin platform has also been designed to dramatically reduce the overall attachable region of PHP as soon as it has been installed. A variety of web server solutions, including white lists, resource limits, transparent sessions, encryption of cookies, content filters, security logging, and more all help to provide extra layers of protection and barriers against cyber attack that do not exist in the “vanilla” form of PHP.

Multi-Pronged Approach to PHP Security

As highlighted above, the dual security approaches taken by the developers of Suhosin – the patch as well as the extension itself – give websites and web application owners as well as server administrators a lot more control over how they go about hardening their PHP platform.

Both components can be installed quickly by modifying the PHP.ini or other configuration files already live on a PHP server, with administrators having the opportunity to install one or the other of these security features as well as both of them at the same time.

Most choose to install both even if they plan on only implementing one part of the Suhosin platform to begin with, if only to streamline things significantly and to allow the implementation of the other patch or extension with as little extra work as possible later down the line.

It should be noted that individuals choosing to install only the Suhosin patch will find that logging features are the only aspect that will go live immediately. On the flipside, those that choose to only install the Suhosin extension won’t be able to use already predefined constants and configuration data – having to instead go inside of the extension and configuring all of the settings on their own.

Choosing to use one aspect of Suhosin or the other will somewhat limit the features that you can leverage, which inevitably reduces the overall amount of security and hardening improvements you would have seen if you implemented both of these components at the same time.

When using the Suhosin extension individually the ability for fine tuning of the logging feature is turned off, tuning system log facilities are reduced, and additional protections available to mail () function headers are significantly reduced.

You’ll also find that the ability to tune Suhosin responses to individual security violations to be somewhat limited when you’re using only the extension as opposed to the patch and the extension in conjunction with one another.

Leveraging the Suhosin Patch and Extension

Many people thinking about moving forward with the Suhosin patch and extension are nervous about whether or not their online platform or web application will break because of the restrictions placed on PHP through the hardening process.

The good news is that you have nothing to worry about in this department!

Specifically designed to dramatically overhaul security performance and hardening, you’ll also find that the Suhosin patch and extension are very forward thinking in their application. Suhosin includes (right out of the box, so to speak) special configuration options described as Suhosin.Simulation.

When this particular setting has been triggered the Suhosin extension is going to continue logging all individual security violations and provide you with full reporting, but blocking of those actions will not be made across the board unless you deem them to be necessary – allowing for full functionality and usability of your PHP environment while still giving you information about potential security threats or vulnerabilities that need to be addressed.

A lot of people curious about using Suhosin will wonder if it is backwards compatible with older versions of PHP. While more than 80% of the internet is run on the back of PHP platforms not all of them have been updated to the latest version of this programming language.

You’ll be happy to know that Suhosin works perfectly well (both the patch and the extension) on PHP versions as early as 5.0. This gives you a lot of backwards compatibility to harden and secure older websites using legacy PHP versions, at least until you’re able to upgrade them and use later versions of the Suhosin patch and extension modules.

Moving Forward

Those seriously interested in protecting their web platform (especially with however connected our modern world is today, and with how important cybersecurity is now more than ever before) would be wise to look into leveraging all that the Suhosin extension and patch combination have to offer.

Digital thieves and cyber criminals are always going to be looking for ways to exploit the “lowest hanging fruit”, specifically targeting PHP flaws and vulnerabilities that have yet to be patched by website owners and server administrators that have not gone through a security audit or a hardening process.

Suhosin allows you to significantly stiffen your PHP security almost immediately without having to do any of the coding yourself. The patch and the extension working in conjunction with one another significantly improves your overall capabilities to push back against modern cyber attacks, eliminating a lot of the easy roads to access your server that used to be available while at the same time protecting your web server and your website or application against more sophisticated assaults as well.

Best of all, the Suhosin platform is 100% open sourced and freely available to take advantage of. This guarantees a level of transparency and access you just won’t have with more traditional PHP hardening or security solutions.