PHP Security

PHP Configuration Overrides

Mode	Meaning
PHP_INI_USER	Entry can be set in user scripts (like with ini_set())
PHP_INI_PERDIR	Entry can be set in php.ini, .htaccess or httpd.conf
PHP_INI_SYSTEM	Entry can be set in php.ini or httpd.conf
PHP_INI_ALL	Entry can be set anywhere

Configuration Settings

open_basedir

description

Limits all file operations to the defined directory and below. This directive makes most sense if used in a per-directory or per-virtualhost web server configuration file.

Default: Off
Recommended: webroot
Changeable: PHP_INI_ALL
Syntax: “/var/www:/usr/share/php”

Also it is prudent to disable symlink() function

disable_functions

description

Disable certain PHP functions from executing. Will throw a security warning error when they are used in code.

Default: None
Recommended: filesystem functions, system executable functions, phpinfo, etc.
Changeable: php.ini only
Syntax: “eval,file_get_contents”

expose_php

description

Adds a header to the HTTP response detailing the PHP version used.

Default: Enabled
Recommended: Disabled
Changeable: php.ini only

display_errors

description

Includes error output with script execution.

Default: Enabled
Recommended: Disabled on production servers
Changeable: PHP_INI_ALL

html_errors

description

Displays errors with HTML tags

Default: Enabled
Recommended: Disabled on production servers
Changeable: PHP_INI_ALL

post_max_size

description

Maximum size of POST data that PHP will accept.

Default: 8M
Recommended: Low as necessary to avoid denial of service.
Changeable: PHP_INI_PERDIR

enable_dl

description

Allows loading external PHP modules

Default: Enabled
Recommended: Disabled
Changeable: PHP_INI_SYSTEM

file_uploads

file_uploads

Allows uploading files.

Default: Enabled
Recommended: Disable if not being used
Changeable: PHP_INI_SYSTEM

upload_max_filesize

The max filesize of an uploaded file.

description

Default: 2M
Recommended: As large as needed for production, keep small otherwise to prevent denial of service.
Changeable: PHP_INI_PERDIR

max_file_uploads

description

Maximum number of files that can be uploaded via a single request.

Default: 20
Recommended: Lower value
Changeable: PHP_INI_SYSTEM

allow_url_fopen

description

Whether to allow the treatment of URLs (like http: or ftp:) as files.

Default: Off
Recommended: Off
Changeable: PHP_INI_SYSTEM (Appendix says PHP_INI_ALL, which is wrong)

allow_url_include

description

Whether to allow include/require to open URLs (like http: or ftp:) as files.

Default: Off
Recommended: Off
Changeable: PHP_INI_ALL

session.use_only_cookies

description

This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs

Sessions and security

Default: Off
Recommended: On for sites that store secure data in session, but requires cookies to be set in browser
Changeable: PHP_INI_ALL

session.cookie_httponly

description

Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.

Default: Off
Recommended: On for sites unless they use JavaScript to access session data (likely rare)
Changeable: PHP_INI_ALL

session.hash_function

description

Allows you to specify the hash algorithm used to generate the session IDs. '0' means MD5 (128 bits) and '1' means SHA-1 (160 bits).

Default: MD5
Recommended: SHA1
Changeable: PHP_INI_ALL