Introduction

Below you will find information on the proper settings for the file and instructions on configuring Apache, Nginx, and Caddy web servers.

For general PHP codebase security please refer to the two following great guides:

PHP Configuration and Deployment

Some of following settings need to be adapted to your system, in particular session.save_path, session.cookie_path (e.g. /var/www/mysite), and session.cookie_domain (e.g. ExampleSite.com).

You can find a copy of the following values in a ready-to-go php.ini file .

PHP error handling

Keep in mind that you need to have display_errors to Off on a production server and it’s a good idea to frequently notice the logs.

PHP general settings

doc_root                = /path/DocumentRoot/PHP-scripts/
open_basedir            = /path/DocumentRoot/PHP-scripts/
include_path            = /path/PHP-pear/
mime_magic.magicfile    = /path/PHP-magic.mime
allow_url_fopen         = Off
allow_url_include       = Off
variables_order         = "GPCS"
allow_webdav_methods    = Off
session.gc_maxlifetime  = 600

allow_url_* prevents LFIs to be easily escalated to s.

PHP file upload handling

PHP executable handling

# see also: http://ir.php.net/features.safe-mode
disable_classes         =

These are dangerous PHP functions. You should disable all that you don’t use.

PHP session handling

Session settings are some of the MOST important values to concentrate on in configuring. It is a good practice to change session.name to something new.

Some more security paranoid checks

session.referer_check   = /application/path
memory_limit            = 50M
post_max_size           = 20M
max_execution_time      = 60
report_memleaks         = On
track_errors            = Off
html_errors             = Off

Suhosin

is a patch to PHP which provides a number of hardening and security features that are not available in the default PHP build. However, Suhosin only works with PHP 5, which is unsupported and should not be used.