Use a newer PHP runtime version#

Security · App Service · Rule · 2024_03 · Important

Configure applications to use newer PHP runtime versions.

Description#

Within a App Service app, the version of PHP runtime used to run application/ site code is configurable.

Overtime, a specific version of PHP may become outdated and no longer supported by Microsoft in Azure App Service. This can lead to security vulnerabilities or are simply not able to use the latest security features.

PHP 8.0 and 8.1 are approaching end of support.

Recommendation#

Consider updating the site to use a newer PHP runtime version such as 8.2.

Examples#

Configure with Azure template#

To deploy App Services that pass this rule:

Set properties.siteConfig.linuxFxVersion to a minimum of PHP|8.2.

For example:

Azure Template snippet

{
  "type": "Microsoft.Web/sites",
  "apiVersion": "2023-01-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "kind": "web",
  "properties": {
    "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
    "httpsOnly": true,
    "clientAffinityEnabled": false,
    "siteConfig": {
      "alwaysOn": true,
      "minTlsVersion": "1.2",
      "ftpsState": "Disabled",
      "http20Enabled": true,
      "healthCheckPath": "/healthz",
      "linuxFxVersion": "PHP|8.2"
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
  ]
}

Configure with Bicep#

To deploy App Services that pass this rule:

Set properties.siteConfig.linuxFxVersion to a minimum of PHP|8.2.

For example:

Azure Bicep snippet

resource php 'Microsoft.Web/sites@2023-01-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  kind: 'web'
  properties: {
    serverFarmId: plan.id
    httpsOnly: true
    clientAffinityEnabled: false
    siteConfig: {
      alwaysOn: true
      minTlsVersion: '1.2'
      ftpsState: 'Disabled'
      http20Enabled: true
      healthCheckPath: '/healthz'
      linuxFxVersion: 'PHP|8.2'
    }
  }
}

Configure with Azure Policy#

To address this issue at runtime use the following policies:

App Service apps that use PHP should use a specified 'PHP version' /providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3
App Service app slots that use PHP should use a specified 'PHP version' /providers/Microsoft.Authorization/policyDefinitions/f466b2a6-823d-470d-8ea5-b031e72d79ae

Notes#

From November 2022 - PHP is only supported on Linux-based plans.