This is the fourth in a series of eight posts detailing tips on deploying to Zend Server. The previous post in the series detailed a trick I learned about when to execute a chmod statement during deployment.
Today, I'm sharing a tip about securing your Job Queue job scripts.
Tip 4: Secure your job scripts
In the second tip, I detailed when to register job scripts, but not how to write them. As it turns out, there's one very important facet to consider when writing job scripts: security.
One issue with Job Queue is that jobs are triggered… via the web. This means that they are exposed via the web, which makes them potential attack vectors. However, there's a simple trick to prevent access other than from Job Queue; add this at the top of your job scripts:
if (! ZendJobQueue::getCurrentJobId()) {
header('HTTP/1.1 403 Forbidden');
exit(1);
}
While the jobs are invoked via HTTP, Zend Server has ways of tracking whether
or not they are being executed in the context of Job Queue, and for which job.
If the ZendJobQueue::getCurrentJobId()
returns a falsy value, then it was not
invoked via Job Queue, and you can exit immediately. I like to set a 403 status
in these situations as well, but that's just a personal preference.
Next time…
The next tip in the series is builds on this one, and gives some best practices to follow when writing your job scripts.
Other articles in the series
- Tip 1: zf-deploy
- Tip 2: Recurring Jobs
- Tip 3: chmod
- Tip 5: Set your job status
- Tip 6: Page caching
- Tip 7: zs-client
- Tip 8: Automate