9123122, 8:48 AM PHP Configuration - OWASP Cheat Sheet Series PHP Configuration Cheat Sheet Introduction This page is meant tohelp those configuring PHP and the web server it is running on to be very secure. Below you will ind information on the proper settings for the php.ini file and instructions on configuring Apache, Noinx, and Caddy web servers. For general PHP codebase security please refer to the two following great guides: ‘* Paragonie's 2018 PHP Security Guide «Awesome PHP Security PHP Configuration and Deployment php.ini ‘Some of following settings need to be adapted to your system, in particular session. save_path, session.cookie_path (@g, /var/wm/nysite ),and session.cookie_domain (eg. ExampleSite.con). You shouldalso be running PHP 7.2 or later. Ifrunning PHP 7.0 and 7.1, youwill use slightly different values in a couple of places below (see inline comments). Finally look through the PHP. Manuel for a complete reference on every value in the php.ini corfiguration file, You can finda copy of the following values in a ready-to-go php.ini fle here. PHP entorhanding expose_php ff error_reporting ALL display_errors +f display_startup_errors = Off log_errors 0 error_log valid. path/PHP-Logs/phperror-log ignore_repeated_errors = Off -ntps:ifcheatshectseries.owasp.orgicheatsheets!PHP_Configuratlon_Cheat_Sheet.himl 489123122, 8:48 AM PHP Configuration - OWASP Cheat Sheet Series Keep in mind that you need tohave display_errors to off ona production server and it's a good ideo to frequently nctice the logs. PHP general settings doc_root /path/DocumentRoot /PHP-scripts/ open_basedir {path/DocunentRoot/PHP-scripts/ include_path = /path/PHP-pear/ extension.dir /path/PHP-extensions/ ime_magic.magicfile /path/PHP-magic.mine allow_url_fopen off allow_url_include = off variables_order ccs’ allow_webdav_methods off session.gc_maxlifetime = 600 allow_url_* prevents LFisto be easily escalated to PFs. PHP file upicad handling file_uploads = on upload_tmp_dir = /path/PHP-uploads/ upload_max_filesize = 2M nax_file_uploads 22 If your application is net using file uploads, and say the only data the user will enter / upload is forms that donot require any document attachments, file_uploeds shouldbe tuned off . PHP executable handling enable_dl off disable_functions system, exec, shell_exec, passthru, phpinfo, show_source, Popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_f: chdir, mkdir, rmdir, chmod, renane, filepro, filepro.rowcount, filepro_retrieve, posix_nkfifo # see also: http://ir-php.net/features. safe-mode disable_classes These are dangerous PHP functions. You should disable all that you dont use. PHP session handing Session settings are some of the MOST important values to concentrate on in configuring. tis @ (good practice to change session.name to something new. -ntps:ifcheatshectseries.owasp.orgicheatsheets!PHP_Configuratlon_Cheat_Sheet.himl 239723122, 648 AM PHP Configuration - OWASP Cheat Sheet Series session .save_path = /path/PHP-session/ session.name myPHPSESSTD session auto_stert off session .use_trans_sid =o session .cookie_donain = full qualified. domain .name session. cookie_path = /application/path/ session .use_strict_mode 1 use_cookies 1 use_only_cookies 1 cookie_lifetine 14808 # 4 hours cookie_secure “1 cookie_httponly 1 cookie_sanesite = Strict cache_expire = 30 sid_length = 256 sid_bits_per_character = 6 # PHP 7.2+ hash_funetion 1 # PHP 7.8-7.1 hash_bits.per_character = 6 # PHP 7.8-7.1 ‘Some more security paranoid checks session.referer_check = /application/path enory-Limit = 50M post_max_size = 20M ax_execution_time = 60 report_memleaks = On track_errors = off html_errors = off ‘Suhosin ‘Suhosin is a patch to PHP which provides a number of hardening and security features that are not available in the default PHP build. However, Suhosin only works with PHP 5, which is unsupported ‘and should not be used. For PHP 7, there is Suhosir-ng, but it's in a prerelease stage, and as such should not be used in production. ‘Snuffleupagus Snuffleupagus is the spiritual descendent of Suhosin for PHP 7 and onwards, with modem features, It's considered stable, and is usable in production. -ntps:ifcheatshectseries.owasp.orgicheatsheets!PHP_Configuratlon_Cheat_Sheet.himl 313