Recommended PHP Security Configuration options

Recommended Security Configuration options

Here are a few PHP configuration settings that can affect security features. Here are some of the things that should obviously be used for production servers:

register_globals set to OFF
Safe_mode set to OFF
error_reporting is set to OFF. If an error occurs, this sends a visible error report message to the user's browser. For production servers, use the error log instead. The development server can enable the error log if it is behind a firewall. (LCTT: Here according to the original logic and common sense, should be "Development server if you can enable error reporting behind the firewall, that is, on.") ")
Deactivate these functions: System (), exec (), PassThru (), Shell_exec (), Proc_open (), and Popen ().
The Open_basedir is the/TMP (to save session information) directory and Web root so that the script cannot access files outside these selected regions.
expose_php is set to OFF. This feature adds a PHP signature containing the version number to the Apache header.
Allow_url_fopen is set to OFF. If you are able to notice the way your code accesses files-that is, you validate all input parameters, this is not strictly required.
Allow_url_include is set to OFF. For anyone, there is no sensible reason to want to access files that are contained through HTTP.
In General, if you find code that wants to use these features, you should not trust it. In particular, be careful about using code like the system () function-it's almost certainly flawed.

With these settings enabled, let's take a look at some specific attacks and how you can help protect your server.

Recommended PHP Security Configuration options