1
0

fix(security): harden production PHP configuration

- expose_php=Off — hide PHP version from response headers
- allow_url_include=Off — prevent remote file inclusion
- open_basedir=/var/www:/tmp — restrict filesystem access
- disable_functions — block shell execution functions not used by the app
- Session hardening: strict_mode, httponly, secure, samesite=Lax,
  use_only_cookies, 48-char session IDs with 6 bits/char

Note: allow_url_fopen left On (required by PHPMailer for SMTP streams).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-13 19:55:11 +01:00
parent 3053a77cde
commit 2b9ed78efd

View File

@@ -1,7 +1,26 @@
; --- Error handling ---
display_errors=0
display_startup_errors=0
error_reporting=E_ALL & ~E_DEPRECATED & ~E_STRICT
log_errors=1
; --- Resource limits ---
memory_limit=256M
upload_max_filesize=10M
post_max_size=12M
; --- Security hardening ---
expose_php=Off
allow_url_include=Off
open_basedir=/var/www:/tmp
disable_functions=exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source
; --- Session hardening ---
session.use_strict_mode=1
session.cookie_httponly=1
session.cookie_secure=1
session.cookie_samesite=Lax
session.use_only_cookies=1
session.use_trans_sid=0
session.sid_length=48
session.sid_bits_per_character=6