What are the PHP security settings

There are several PHP functions, which are recommended to be properly configured in order to protect the server from a harm. Of course, overall protection of the system can be rather complex and require a number of specific tools, but in this tutorial, we will examine how to start with some basics, which don’t require additional spends. So, let’s see how to perform some initial configurations to increase the security of the PHP application, hosted with CloudJiffy Cloud.

The main PHP configuration file, named php.ini, contains a number of default settings, which I can customize, or even add the own depending on the needs of the application. It is located in the etc directory of the Apache or NGINX-PHP application server. This file is fully editable for me as a CloudJiffy customer, so let’s consider which settings I can apply in order to ensure the server security.

Note that the values described below are just recommendations. Before applying, please, make sure my application requirements will meet these configurations do not decrease its performance.

Press Config button for the Apache server. In the appeared tab navigate to the etc directory and open php.ini file.

php ini config

 

Follow the next instructions to apply the necessary configurations:

1. Add the following string in order to disable the insecure functions:

disable_functions = phpinfo, system, mail, exec

An additional security can be obtained by disabling the following functions::

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

insecure php functions

2. Scope the allowed resources amount, if it is acceptable for the application:

  • Maximum script execution time (in seconds) max_execution_time = 30

  • Maximum time for request data parsing by each script max_input_time = 60

  • Maximum size of uploaded file upload_max_filesize = 2M

  • Maximum script memory amount (8MB) memory_limit = 8M (the default value is 128M, but it is acceptable to set the lower one if it won’t decrease the application performance)

  • Maximum POST data size, acceptable for PHP post_max_size = 8M


3. The following list of functions can be restricted in the case they aren’t necessary for the application:

  • Disallow HTTP file uploads file_uploads = Off

  • Disallow displaying the PHP error messages for the end-users display_errors = Off

  • Limit the external access to the PHP environment safe_mode_allowed_env_vars = PHP_

  • Restrict the sending back of PHP information expose_php = Off

  • Turn off the globals registration for input data register_globals = Off

  • Restrict remote files opening allow_url_fopen = Off


4. In order to get more information about the security state, enable the following functions:

  • Ensure appropriateness of PHP redirecting cgi.force_redirect = 0

  • Enable all possible errors logging log_errors = On


5. Switch on available safe modes:

  • Enable safe mode safe_mode = On

  • Enable SQL safe mode SQL.safe_mode = On


Note: While specifying the abovementioned settings that should consider the requirements of the application, in some cases, it can be unavailable.


Was this article helpful?

mood_bad Dislike 0
mood Like 0
visibility Views: 12087