- expose_php=Off — hide PHP version from response headers - allow_url_include=Off — prevent remote file inclusion - open_basedir=/var/www:/tmp — restrict filesystem access - disable_functions — block shell execution functions not used by the app - Session hardening: strict_mode, httponly, secure, samesite=Lax, use_only_cookies, 48-char session IDs with 6 bits/char Note: allow_url_fopen left On (required by PHPMailer for SMTP streams). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
643 B
643 B