26

In order to secure a PHP installation, what are the best settings for a php.ini file? What is absolutely vital in terms of security? What is recommended for most use cases?

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
VirtuosiMedia
  • 3,232
  • 3
  • 27
  • 32

2 Answers2

12

I find a good step for hardening your php.ini file is to use the PHPSecInfo tool, this tool will outline what settings you have currently in your php.ini that may cause a security risk. In addition to using that tool give this article on Hardening PHP from php.ini a look its good and picks up most of the major concerns.

Personally the two main things I always make sure are configured correctly are:

  • display_errors - On a production server this should be turned Off and the errors should be logged to a file.
  • group_id - This is set to an appropriate value for a low privileged user e.g. www-data not root.
Mark Davidson
  • 9,427
  • 6
  • 45
  • 61
  • 5
    **allow_url_include** - if you don't include PHP files from remote hosts (which seems like a silly thing to begin with), turn this setting OFF. Only harm can come from it. – NSSec Nov 21 '10 at 08:20
  • There are additional requirements necessary to prevent PHP information disclosures in addition to the display_errors php.ini file directive. There are other places that one needs to check, and these should be verified if at all possible. I suggest looking into the inspathx tool. – atdre Jul 05 '11 at 03:25
  • 8
    phpsecinfo hasn't been updated since April 2007. It looks quite stale, especially compared to the number of developments in PHP over the last 4.5 years. – Stefan Lasiewski Oct 04 '11 at 00:39
2

Another php.ini hardening could be resources limiting, as described in configuration file itself "Resource Limits". Generally, it depends on your web-application which limits should be set up. As I know, for example, for Wordpress installation 32M memory memory_limit is not enough. Other applications requires longer time to run max_execution_time. Also, you would like to cut down maximum time that is allowed for data to be transferred max_input_time. Maximum POST size can also be limited post_max_size. All of above mentioned configurations generally will help to avoid DoS conditions.

About maqic_quotes_gpc, it is quite annoying, and as of PHP5.4 it was removed. Developers often automatically removes slashes by detecting this setting.

Maerlyn
  • 133
  • 5