fix(security): harden PHP configuration for dev and production

Apply consistent security settings to both environments so issues
surface early in development rather than first appearing in prod.

Both environments:
- expose_php=Off — hide PHP version from X-Powered-By
- allow_url_include=Off — prevent remote file inclusion
- open_basedir=/var/www:/tmp — restrict filesystem access
- disable_functions — block shell execution functions unused by the app
- Session: strict_mode, httponly, samesite=Lax, use_only_cookies

Production additionally:
- display_errors=0, log_errors=1
- session.cookie_secure=1 (HTTPS-only)

Removed deprecated sid_length/sid_bits_per_character (PHP 8.5+).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-13 19:58:23 +01:00
parent 2b9ed78efd
commit b89fd792bf
2 changed files with 17 additions and 2 deletions

View File

@@ -22,5 +22,3 @@ session.cookie_secure=1
session.cookie_samesite=Lax
session.use_only_cookies=1
session.use_trans_sid=0
session.sid_length=48
session.sid_bits_per_character=6