Trace: php_security

PHP Security

PHP Configuration Overrides

Mode Meaning
PHP_INI_USER Entry can be set in user scripts (like with ini_set())
PHP_INI_PERDIR Entry can be set in php.ini, .htaccess or httpd.conf
PHP_INI_SYSTEM Entry can be set in php.ini or httpd.conf
PHP_INI_ALL Entry can be set anywhere

Configuration Settings

open_basedir

Limits all file operations to the defined directory and below. This directive makes most sense if used in a per-directory or per-virtualhost web server configuration file.

  • Default: Off
  • Recommended: webroot
  • Changeable: PHP_INI_ALL
  • Syntax: “/var/www:/usr/share/php”

Also it is prudent to disable symlink() function

disable_functions

Disable certain PHP functions from executing. Will throw a security warning error when they are used in code.

  • Default: None
  • Recommended: filesystem functions, system executable functions, phpinfo, etc.
  • Changeable: php.ini only
  • Syntax: “eval,file_get_contents”
expose_php

Adds a header to the HTTP response detailing the PHP version used.

  • Default: Enabled
  • Recommended: Disabled
  • Changeable: php.ini only
display_errors

Includes error output with script execution.

  • Default: Enabled
  • Recommended: Disabled on production servers
  • Changeable: PHP_INI_ALL
html_errors

Displays errors with HTML tags

  • Default: Enabled
  • Recommended: Disabled on production servers
  • Changeable: PHP_INI_ALL
post_max_size

Maximum size of POST data that PHP will accept.

  • Default: 8M
  • Recommended: Low as necessary to avoid denial of service.
  • Changeable: PHP_INI_PERDIR
enable_dl

Allows loading external PHP modules

  • Default: Enabled
  • Recommended: Disabled
  • Changeable: PHP_INI_SYSTEM
file_uploads

Allows uploading files.

  • Default: Enabled
  • Recommended: Disable if not being used
  • Changeable: PHP_INI_SYSTEM
upload_max_filesize

The max filesize of an uploaded file.

  • Default: 2M
  • Recommended: As large as needed for production, keep small otherwise to prevent denial of service.
  • Changeable: PHP_INI_PERDIR
max_file_uploads

Maximum number of files that can be uploaded via a single request.

  • Default: 20
  • Recommended: Lower value
  • Changeable: PHP_INI_SYSTEM
allow_url_fopen

Whether to allow the treatment of URLs (like http: or ftp:) as files.

  • Default: Off
  • Recommended: Off
  • Changeable: PHP_INI_SYSTEM (Appendix says PHP_INI_ALL, which is wrong)
allow_url_include

Whether to allow include/require to open URLs (like http: or ftp:) as files.

  • Default: Off
  • Recommended: Off
  • Changeable: PHP_INI_ALL
session.use_only_cookies

This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs

  • Default: Off
  • Recommended: On for sites that store secure data in session, but requires cookies to be set in browser
  • Changeable: PHP_INI_ALL
session.cookie_httponly

Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.

  • Default: Off
  • Recommended: On for sites unless they use JavaScript to access session data (likely rare)
  • Changeable: PHP_INI_ALL
session.hash_function

Allows you to specify the hash algorithm used to generate the session IDs. '0' means MD5 (128 bits) and '1' means SHA-1 (160 bits).

  • Default: MD5
  • Recommended: SHA1
  • Changeable: PHP_INI_ALL