In order to secure a PHP installation, what are the best settings for a php.ini file? What is absolutely vital in terms of security? What is recommended for most use cases?
-
You can use the following script to check your PHP security settings http://www.idontplaydarts.com/2011/02/hardening-and-securing-php-on-linux/ – Jul 02 '11 at 10:30
-
1@user3201 Sadly, gives a 404 nowadays. – Oliphaunt Feb 17 '16 at 21:07
2 Answers
I find a good step for hardening your php.ini file is to use the PHPSecInfo tool, this tool will outline what settings you have currently in your php.ini that may cause a security risk. In addition to using that tool give this article on Hardening PHP from php.ini a look its good and picks up most of the major concerns.
Personally the two main things I always make sure are configured correctly are:
- display_errors - On a production server this should be turned Off and the errors should be logged to a file.
- group_id - This is set to an appropriate value for a low privileged user e.g. www-data not root.
- 9,427
- 6
- 45
- 61
-
5**allow_url_include** - if you don't include PHP files from remote hosts (which seems like a silly thing to begin with), turn this setting OFF. Only harm can come from it. – NSSec Nov 21 '10 at 08:20
-
There are additional requirements necessary to prevent PHP information disclosures in addition to the display_errors php.ini file directive. There are other places that one needs to check, and these should be verified if at all possible. I suggest looking into the inspathx tool. – atdre Jul 05 '11 at 03:25
-
8phpsecinfo hasn't been updated since April 2007. It looks quite stale, especially compared to the number of developments in PHP over the last 4.5 years. – Stefan Lasiewski Oct 04 '11 at 00:39
Another php.ini hardening could be resources limiting, as described in configuration file itself "Resource Limits". Generally, it depends on your web-application which limits should be set up. As I know, for example, for Wordpress installation 32M memory memory_limit
is not enough. Other applications requires longer time to run max_execution_time
. Also, you would like to cut down maximum time that is allowed for data to be transferred max_input_time
. Maximum POST size can also be limited post_max_size
. All of above mentioned configurations generally will help to avoid DoS conditions.
About maqic_quotes_gpc
, it is quite annoying, and as of PHP5.4 it was removed. Developers often automatically removes slashes by detecting this setting.
- 133
- 5