From 2b9ed78efd0fdb0ecdc22d89d48eb38abde99bdc Mon Sep 17 00:00:00 2001 From: fs Date: Fri, 13 Mar 2026 19:55:11 +0100 Subject: [PATCH] fix(security): harden production PHP configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - expose_php=Off — hide PHP version from response headers - allow_url_include=Off — prevent remote file inclusion - open_basedir=/var/www:/tmp — restrict filesystem access - disable_functions — block shell execution functions not used by the app - Session hardening: strict_mode, httponly, secure, samesite=Lax, use_only_cookies, 48-char session IDs with 6 bits/char Note: allow_url_fopen left On (required by PHPMailer for SMTP streams). Co-Authored-By: Claude Opus 4.6 --- docker/php/php.prod.ini | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docker/php/php.prod.ini b/docker/php/php.prod.ini index ae5b8a7..149ac5e 100644 --- a/docker/php/php.prod.ini +++ b/docker/php/php.prod.ini @@ -1,7 +1,26 @@ +; --- Error handling --- display_errors=0 display_startup_errors=0 error_reporting=E_ALL & ~E_DEPRECATED & ~E_STRICT log_errors=1 + +; --- Resource limits --- memory_limit=256M upload_max_filesize=10M post_max_size=12M + +; --- Security hardening --- +expose_php=Off +allow_url_include=Off +open_basedir=/var/www:/tmp +disable_functions=exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source + +; --- Session hardening --- +session.use_strict_mode=1 +session.cookie_httponly=1 +session.cookie_secure=1 +session.cookie_samesite=Lax +session.use_only_cookies=1 +session.use_trans_sid=0 +session.sid_length=48 +session.sid_bits_per_character=6