Blog
June 24, 2025
As cybersecurity threats continue to evolve, creating a comprehensive PHP web application hardening strategy is an essential step for development teams. One of the most effective ways to harden apps and reduce your attack surface is by deploying CIS hardened Docker images. These images provide a solid foundation for securing PHP applications while also helping you to meet compliance standards and avoid costly breaches.
In this blog, I explore the importance of PHP web application hardening and cover the basics of what PHP developers need to know about CIS security benchmarks. Next, I introduce Zend CIS hardened Docker images, and I provide step-by-step instructions for deploying and configuring these images within your applications.
Why Web Application Hardening Matters
PHP’s popularity and ubiquitous usage make it a common target for malicious attacks. With the average cost of a security breach reaching nearly $4.88 million in 2024, and one hour of downtime losing businesses approximately $300,000 on average, leaving your PHP applications vulnerable can result in catastrophic expenses for your business. And that’s only the financial ramifications – never mind the complete loss of user confidence and future business opportunities.
PHP web application hardening protects your mission-critical PHP against exploitation from would-be attackers. Strategies such as input validation, sanitization, and enforcing secure file permissions are critical in preventing common threats like SQL injection and unauthorized access. Another proven approach to web application hardening is through the use of hardened container images, which are designed specifically to minimize attack surfaces and improve your application’s security.
However, with new vulnerabilities identified daily, and new mitigation techniques needed to meet evolving threats, many teams struggle with web application hardening: What strategies are best? Which best practices should be followed? How do you know if your PHP application is truly secure?
That’s where organizations such as the Center for Internet Security (CIS) come in.
Back to topCIS Security Benchmarks: Overview
CIS is a nonprofit organization dedicated to improving cybersecurity across public and private sectors. It develops globally recognized best practices, such as the CIS Controls and CIS Benchmarks, to help organizations secure their systems, networks, and data. CIS also operates the Multi-State Information Sharing and Analysis Center (MS-ISAC), which supports U.S. state, local, tribal, and territorial governments in protecting against threats to critical applications.
What Are CIS Benchmarks?
CIS benchmarks are security configuration best practices provided by the Center for Internet Security. These vendor-agnostic guidelines help organizations securely configure systems, applications, and networks.
The purpose of CIS benchmarks is to standardize security configuration and improve cybersecurity by broadly reducing vulnerabilities across many systems. These benchmarks are developed by a global community of IT security experts, including government, business, and academic professionals. They are available for a wide range of technologies, including operating systems, cloud providers, applications, and network devices.
How CIS Benchmarks Impact PHP Developers
While CIS doesn’t provide specific benchmarks for PHP itself, it does provide benchmarks for other parts of a PHP stack. There are CIS benchmarks for operating systems (Windows, Linux, macOS), cloud providers (AWS, Azure, Google Cloud), web servers (Apache, Nginx, IIS), and database systems (MySQL, PostgreSQL, MSSQL).
Following CIS benchmarks where applicable throughout the stack can safeguard against common vulnerabilities and help meet compliance requirements for GDPR, HIPAA, PCI DSS, FedRAMP, and more. This can give your team a head start on meeting compliance standards, and then they can focus on securing their PHP environment further.
CIS Docker Benchmarks
CIS hardened Docker containers come with all the convenience and benefits that containerization provides, but with another layer of security. Docker containers make applications more portable and easy to move between host environments. They fit perfectly in the DevOps process for building and testing applications, and it’s typically fairly easy to swap between containers when wanting to move operating systems or swap out dependencies.
With CIS hardened Docker images, you get all the aforementioned benefits, plus the confidence that the container is secured by following CIS benchmarks.
Back to topZend CIS Hardened Docker Images for PHP Apps
As part of our commitment to providing security for our customers’ PHP runtime, Zend now offers CIS hardened Docker images for PHP applications. Currently, all the Docker images in the Zend image repository are compliant with CIS Docker Benchmarks v1.6.0. We have followed these benchmarks for what we have control of – the container images and build files. Our documentation covers this in more detail and goes even further by providing details for what you need to do to ensure your entire Docker environment is compliant with CIS Docker benchmarks, including:
- Host configuration
- Docker daemon configuration and configuration files
- Container runtime configuration
- Docker security operations
- Docker Swarm configuration
Back to topGet Mission-Critical PHP Apps Container Ready
With a full suite of PHP container images, including CIS hardened Docker images, and deep expertise in guiding PHP containerization projects, Zend is here to ensure you find success in all containerization efforts.
How to Configure Zend CIS Hardened Docker Images
I will now walk through how to configure and deploy Zend CIS hardened Docker images in your PHP application. Refer to the relevant documentation as needed, and make sure to reach out to Zend if you run into any problems or difficulties during this process.
Step One: Host Configuration
To harden the host, specifically a Linux host, the first step is to ensure containers are kept in a separate partition mounted to /var/lib/docker. Doing this will isolate the containers from the rest of your host.
Then, ensure only trusted users are allowed to control the Docker daemon. This can be accomplished by removing any untrusted users from the docker user group and making sure there are no mappings of sensitive directories from the host to container volumes.
Next, ensure auditing is configured for the Docker daemon. Linux distributions come with an auditing daemon which can be configured using the /etc/audit/rules.d/audit.rules file. To audit docker, simply add -w /usr/bin/dockerd -k docker to this file and restart the audit service by running systemctl restart auditd.
Finally, ensure auditing is configured for all Docker files and directories. The Zend CIS hardened Docker image documentation covers how to accomplish this.
Step Two: Docker Daemon Configuration
These are the recommended settings for hardening the Docker daemon configuration:
| Configuration Attribute | Recommended Setting |
| Docker daemon | Run as a non-root user, if possible |
| Network traffic | Restrict between containers on the default bridge |
| Logging level | Set to ‘info’ |
| Docker | Allow it to make changes to iptables |
| Insecure registries | Do not use |
| aufs storage driver | Do not use |
| TLS authentication | Configure for Docker daemon |
| Default ulimit | Configure appropriately |
| User namespace support | Enable |
| The default cgroup usage | Must be confirmed |
| Base device size | Do not change until needed |
| Authorization for Docker client commands | Enable |
| Centralized and remote logging | Configure them |
| Containers | Restrict them from acquiring new privileges |
| Live restore | Enable |
| Userland Proxy | Disable |
| Daemon-wide custom seccomp profile | Apply, if appropriate |
| Experimental features | Do not implement in production |
Step Three: Docker Daemon Configuration Files
These are the recommended configurations for hardening the Docker daemon files:
| File/Directory to Secure | File Ownership | File Permissions |
| docker.service file | root:root | As appropriate |
| docker.socket file | root:root | 644 or stricter |
| /etc/docker directory | root:root | 755 or stricter |
| registry certificate file | root:root | 444 or stricter |
| TLS CA certificate file | root:root | 444 or stricter |
| Docker server certificate | root:root | 444 or stricter |
| Docker server certificate key file | root:root | 400 or stricter |
| Docker socket file | root:root | 660 or stricter |
| daemon.json file | root:docker | 644 or stricter |
| /etc/default/docker file | root:root | 644 or stricter |
| /etc/sysconfig/docker file | root:root | 644 or stricter |
| Containerd socket file | root:root | 660 or stricter |
Step Four: Container Images and Build File
Zend handles this subsection for you. For more information about how this is done, please refer to our documentation or contact us today to speak with one of our PHP experts.
Step Five: Container Runtime Configuration
These are the recommended configurations for hardening the Docker daemon files:
| Configuration Attribute | Recommended Setting |
| Swarm mode | Do not enable, unless needed |
| AppArmor Profile | Enable, if applicable |
| SELinux security options | Set, if applicable |
| Linux kernel capabilities | Restrict within containers |
| Privileged containers | Do not use |
| Sensitive host system directories | Do not mount on containers |
| sshd | Do not run within containers |
| Privileged ports | Do not map within containers |
| Ports | Open only needed ports on the container |
| The host’s network namespace | Do not share |
| The host’s IPC namespace | Do not share |
| Host devices | Do not directly expose to containers |
| Default ulimit | Overwrite at runtime if needed |
| Mount propagation mode | Do not set to shared |
| The host’s UTS namespace | Do not share |
| The default seccomp profile | Do not disable |
| Docker exec commands | Do not use with the privileged option |
| Docker exec commands | Do not use with the user=root option |
| cgroup usage | Must be confirmed |
| Container | Restrict from acquiring additional privileges |
| Docker commands | Always make use of the latest version of the image |
| PIDs cgroup limit | Use it |
| Docker’s default bridge “docker0” | Do not use it |
| The host’s user namespaces | Do not share |
| Docker socket | Do not mount inside any containers |
Step Six: Docker Security Operations
There are a few steps to ensure you’re following best practices to avoid operational security issues associated with Docker deployments.
First, ensure that image sprawl is avoided. Keep only the images that you actually need and establish a workflow to remove old or stale images from the host. Additionally, use features such as pull-by-digest to get specific images from the registry.
Next, ensure that container sprawl is also avoided. Periodically check your container inventory on each host and clean up containers which are not in active use with the command docker container prune.
Step Seven: Docker Swarm Configuration
These are the recommended configurations for hardening the Docker Swarm configuration:
| Configuration Attribute | Recommended Setting |
| Manager nodes | Create a minimum number in a swarm |
| Swarm services | Bind to a specific host interface |
| Docker swarm overlay networks | Encrypt them |
| Docker’s secret management commands | Use for managing secrets in a swarm cluster |
| Swarm manager | Run in auto-lock mode |
| Swarm manager auto-lock key | Rotate periodically |
| Node certificates | Rotate as appropriate |
| CA certificates | Rotate as appropriate |
| Management plane traffic | Keep separate from data plane traffic |
Final Thoughts
PHP web application hardening requires a strong approach across your entire deployment stack, and using Zend CIS hardened Docker images will provide you with pre-hardened environments aligned with recognized security benchmarks. Your development team can maintain compliance standards, reduce risks, and stay ahead of emerging threats, allowing your developers to focus on other projects and priorities.
To ensure even more successful web application hardening, Zend offers a variety of solutions to make your mission-critical PHP possible. For instance, through our ZendPHP secure and supported runtimes, you can upgrade PHP versions on your schedule, gain 24/7/365 support, and unlock backported security patches to keep your applications safe, secure, and compliant. Add in the advanced ZendHQ extension, and you access instant application insights, real-time root cause analysis, and integration with existing PHP APMs without the need for re-platforming.
Stay Secure With ZendPHP + ZendHQ
ZendPHP runtimes and the ZendHQ extension support and secure your mission-critical web applications. Try both free for 21 days to see how they fit in your infrastructure, no commitment required.
Additional Resources
- On-Demand Webinar - Tackling Prevalent PHP Vulnerabilities at Scale
- 101 Guide - Getting Started With PHP Security
- Blog - PHP Application Security and Compliance Trends
- Blog - How to Prepare PHP Web Apps for Disaster
- Blog - Everything You Need to Know About Maintaining PHP Compliance
- Blog - PHP Docker Images: Tips and Tricks
- Blog - How to Build Rootless Docker Images With ZendPHP