PHP Configuration Cheat Sheet
This page is part of the PHP Security Cheat Sheet, for developers and administrators. It describes secure configuration of PHP and its platform.
..: Work in Progress :..
Web Server Configuration
suPHP makes every php script run as its file owner. This way you are allowed to upload and modify files in your folders without needing to chmod 777 any folder, which is very bad security practice and will let to your files be compromised easily. Install and configure it on your web server.
PHP Configuration and Deployment
Consider using Suhosin (Stefan Esser's [Hardened PHP patch]) if you want to patch many custom security flaws in various parts of PHP.
Note that some of following settings need to be adapted to your system, in particular
/application/. Also read the PHP Manual according dependencies of some settings.
PHP error handlling
expose_php = Off error_reporting = E_ALL display_errors = Off display_startup_errors = Off log_errors = On error_log = /valid_path/PHP-logs/php_error.log ignore_repeated_errors = Off
Keep in mind that you need to have display_errors off on a production server and it's a good idea to frequently notice the logs.
PHP general settings
doc_root = /path/DocumentRoot/PHP-scripts/ open_basedir = /path/DocumentRoot/PHP-scripts/ include_path = /path/PHP-pear/ extension_dir = /path/PHP-extensions/ mime_magic.magicfile = /path/PHP-magic.mime allow_url_fopen = Off allow_url_include = Off variables_order = "GPSE" allow_webdav_methods = Off
Allow_url_* prevents LFIs to be easily escalated to RFIs.
PHP file upload handling
file_uploads = On upload_tmp_dir = /path/PHP-uploads/ max_file_uploads = 2
It's a good idea to turn it off, if your application is not using file uploads.
PHP executable handling
enable_dl = On disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open disable_functions = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file disable_functions = chdir, mkdir, rmdir, chmod, rename disable_functions = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo # see also: http://ir.php.net/features.safe-mode disable_classes =
These are dangerous PHP functions. You should disable all that you don't use.
PHP session handling
session.auto_start = Off session.save_path = /path/PHP-session/ session.name = myPHPSESSID session.hash_function = 1 session.hash_bits_per_character = 6 session.use_trans_sid = 0 session.cookie_domain = full.qualified.domain.name #session.cookie_path = /application/path/ session.cookie_lifetime = 0 session.cookie_secure = On session.cookie_httponly = 1 session.use_only_cookies= 1 session.cache_expire = 30 default_socket_timeout = 60
It is a good practice to change session.name to something new.
some more security paranoid checks
session.referer_check = /application/path memory_limit = 32M post_max_size = 32M max_execution_time = 60 report_memleaks = On track_errors = Off html_errors = Off
PHP Database Settings
PHP Database User
PHP Windows specific Settings
Related Cheat Sheets
Authors and Primary Editors
--Achim, 30. November 2012
OWASP Cheat Sheets Project Homepage
Developer Cheat Sheets (Builder)
- Authentication Cheat Sheet
- Choosing and Using Security Questions Cheat Sheet
- Clickjacking Defense Cheat Sheet
- C-Based Toolchain Hardening Cheat Sheet
- Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
- Cryptographic Storage Cheat Sheet
- DOM based XSS Prevention Cheat Sheet
- Forgot Password Cheat Sheet
- HTML5 Security Cheat Sheet
- Input Validation Cheat Sheet
- JAAS Cheat Sheet
- Logging Cheat Sheet
- .NET Security Cheat Sheet
- OWASP Top Ten Cheat Sheet
- Password Storage Cheat Sheet
- Pinning Cheat Sheet
- Query Parameterization Cheat Sheet
- Ruby on Rails Cheatsheet
- REST Security Cheat Sheet
- Session Management Cheat Sheet
- SQL Injection Prevention Cheat Sheet
- Transport Layer Protection Cheat Sheet
- Unvalidated Redirects and Forwards Cheat Sheet
- User Privacy Protection Cheat Sheet
- Web Service Security Cheat Sheet
- XSS (Cross Site Scripting) Prevention Cheat Sheet
Assessment Cheat Sheets (Breaker)
Mobile Cheat Sheets
OpSec Cheat Sheets (Defender)
Draft Cheat Sheets
- Access Control Cheat Sheet
- Application Security Architecture Cheat Sheet
- Business Logic Security Cheat Sheet
- PHP Security Cheat Sheet
- Secure Coding Cheat Sheet
- Secure SDLC Cheat Sheet
- Threat Modeling Cheat Sheet
- Web Application Security Testing Cheat Sheet
- Grails Secure Code Review Cheat Sheet
- IOS Application Security Testing Cheat Sheet
- Key Management Cheat Sheet
- Insecure Direct Object Reference Prevention Cheat Sheet
- Content Security Policy Cheat Sheet