This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "PHP Configuration Cheat Sheet"

Jump to: navigation, search
(Migration to GitHub)
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
= Introduction  =
The Cheat Sheet Series project has been moved to [ GitHub]!
This page is part of the [[PHP Security Cheat Sheet]], for developers and administrators. It describes secure configuration of PHP and its platform.
Please visit [ PHP Configuration Cheat Sheet] to see the latest version of the cheat sheet.
====<center>..: Work in Progress :..</center>====
=Web Server Configuration=
[ suPHP] makes every php script run as its file owner. This way you are allowed to upload and modify files in your folders without needing to '''chmod 777''' any folder, which is very bad security practice and will let to your files be compromised easily. Install and configure it on your web server.
=PHP Configuration and Deployment=
Consider using [ Suhosin] (Stefan Esser's [Hardened PHP patch]) if you want to patch many custom security flaws in various parts of PHP.
Note that some of following settings need to be adapted to your system, in particular <code style="background:#ddd">/path/</code> and <code style="background:#ddd">/application/</code>. Also read the [ PHP Manual] according dependencies of some settings.
====PHP error handlling====
  expose_php              = Off
  error_reporting        = E_ALL
  display_errors          = Off
  display_startup_errors  = Off
  log_errors              = On
  error_log              = /valid_path/PHP-logs/php_error.log
  ignore_repeated_errors  = Off
Keep in mind that you need to have display_errors off on a production server and it's a good idea to frequently notice the logs.
====PHP general settings====
  doc_root                = /path/DocumentRoot/PHP-scripts/
  open_basedir            = /path/DocumentRoot/PHP-scripts/
  include_path            = /path/PHP-pear/
  extension_dir          = /path/PHP-extensions/
  mime_magic.magicfile   = /path/PHP-magic.mime
  allow_url_fopen        = Off
  allow_url_include      = Off
  variables_order        = "GPSE"
  allow_webdav_methods    = Off
Allow_url_* prevents LFIs to be easily escalated to RFIs.
====PHP file upload handling====
  file_uploads            = On
  upload_tmp_dir          = /path/PHP-uploads/
  upload_max_filesize    = 2M
  max_file_uploads        = 2
It's a good idea to turn it off, if your application is not using file uploads.
====PHP executable handling====
  enable_dl              = On
  disable_functions      = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open
  disable_functions      = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file
  disable_functions      = chdir, mkdir, rmdir, chmod, rename
  disable_functions      = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo
    # see also:
  disable_classes        =
These are dangerous PHP functions. You should disable all that you don't use.
====PHP session handling====
  session.auto_start      = Off
  session.save_path      = /path/PHP-session/            = myPHPSESSID
  session.hash_function  = 1
  session.hash_bits_per_character = 6
  session.use_trans_sid  = 0
  session.cookie_domain  =
  #session.cookie_path    = /application/path/
  session.cookie_lifetime = 0
  session.cookie_secure  = On
  session.cookie_httponly = 1
  session.use_only_cookies= 1
  session.cache_expire    = 30
  default_socket_timeout  = 60
It is a good practice to change to something new.
====some more security paranoid checks====
  session.referer_check  = /application/path
  memory_limit            = 32M
  post_max_size          = 32M
  max_execution_time      = 60
  report_memleaks        = On
  track_errors            = Off
  html_errors            = Off
====PHP Database Settings====
{{TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)}}
====PHP Database User====
{{TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry}}
====PHP Windows specific Settings====
====PHP Extension====
= Related Cheat Sheets  =
= Authors and Primary Editors  =
[[User:Achim|Achim]] Hoffmann - [ Achim at]
--[[User:Abbas Naderi|AbiusX]] [mailto:[email protected] email]
--[[User:Achim|Achim]], 30. November 2012
= Other Cheatsheets =

Latest revision as of 13:16, 20 February 2019


The Cheat Sheet Series project has been moved to GitHub!

Please visit PHP Configuration Cheat Sheet to see the latest version of the cheat sheet.