Introduction
PHP is a widely used programming language for creating dynamic web pages and web applications. As with any programming language, security is a critical concern when developing with PHP. One of the most important steps in securing your PHP installation is properly configuring your PHP settings, which can be done through the php.ini file. This file controls various aspects of how PHP runs on your server, including performance, error reporting, and security. In this blog post, we'll explore some of the key PHP settings that you can configure in the php.ini file to help make your website more secure, with examples and explanations to each of them.
You should run the latest PHP version on your sever because it should be more secure.
Here is the PHP Manual for a complete list of the core php.ini directives.
Configure php.ini File
Secure file permissions on php.ini
One of the first things to consider when securing your PHP installation is setting the correct permissions on the php.ini file itself. By default, the file is usually readable by anyone on the server, which can potentially allow an attacker to view sensitive information about your PHP configuration. To mitigate this risk, you should restrict access to the file by changing its permissions to be readable only by the user that runs your web server process.
sudo chown www-data:www-data /path/php.ini
sudo chmod 644 /path/php.iniThis will change the ownership of the file to the user/group of your web server and set permissions to 644 (rw-r--r--), allowing the user to read and write but not execute.
The php.ini is the main configuration file for PHP settings. It is used to control parameters such as include_path, extension_dir and error_log, etc.
General php.ini Settings
doc_root = /path/DocumentRoot/PHP-scripts/
open_basedir = /path/DocumentRoot/PHP-scripts/
include_path = /path/PHP-pear/
mime_magic.magicfile = /path/PHP-magic.mime
allow_url_include = Off
allow_url_fopen = Off
extension_dir = /path/PHP-extensions/
variables_order = "GPCS"
allow_webdav_methods = Off
session.gc_maxlifetime = 600PHP file upload php.ini Settings
If your PHP website is having file upload functionality, then you should focus on the following settings:
file_uploads = On
upload_max_filesize = 2M
upload_tmp_dir = /path/PHP-uploads/
max_file_uploads = 2PHP Session Handling php.ini Settings
Session handling is the most targeted feature for almost every website technology by hackers, securing it is essential. Use the following Settings:
session.save_path = /path/PHP-session/
session.name = myPHPSESSID
session.auto_start = Off
session.use_trans_sid = 0
session.cookie_domain = full.qualified.domain.name
#session.cookie_path = /application/path/
session.use_strict_mode = 1
session.cookie_lifetime = 14400 # 4 hours
session.use_cookies = 1
session.use_only_cookies = 1
session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = Strict
session.cache_expire = 30
session.sid_length = 256
session.sid_bits_per_character = 6 # PHP 7.2+
session.hash_function = 1 # PHP 7.0-7.1
session.hash_bits_per_character = 6 # PHP 7.0-7.1Conclusion
There are many ways to secure your PHP website by configuring the php.ini file. The settings discussed in this post are just a few examples of the many ways that you can use the php.ini file to improve the security of your PHP website. It's important to remember that security is a continuous process, so it's always a good idea to