From b89fd792bf030d7a77a698635fd612c5a04db660 Mon Sep 17 00:00:00 2001 From: fs Date: Fri, 13 Mar 2026 19:58:23 +0100 Subject: [PATCH] fix(security): harden PHP configuration for dev and production MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apply consistent security settings to both environments so issues surface early in development rather than first appearing in prod. Both environments: - expose_php=Off — hide PHP version from X-Powered-By - allow_url_include=Off — prevent remote file inclusion - open_basedir=/var/www:/tmp — restrict filesystem access - disable_functions — block shell execution functions unused by the app - Session: strict_mode, httponly, samesite=Lax, use_only_cookies Production additionally: - display_errors=0, log_errors=1 - session.cookie_secure=1 (HTTPS-only) Removed deprecated sid_length/sid_bits_per_character (PHP 8.5+). Co-Authored-By: Claude Opus 4.6 --- docker/php/php.ini | 17 +++++++++++++++++ docker/php/php.prod.ini | 2 -- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/docker/php/php.ini b/docker/php/php.ini index afed12e..19fb20b 100644 --- a/docker/php/php.ini +++ b/docker/php/php.ini @@ -1,6 +1,23 @@ +; --- Error handling (verbose for development) --- display_errors=1 display_startup_errors=1 error_reporting=E_ALL +log_errors=1 + +; --- Resource limits --- memory_limit=256M upload_max_filesize=10M post_max_size=12M + +; --- Security hardening (match prod to catch issues early) --- +expose_php=Off +allow_url_include=Off +open_basedir=/var/www:/tmp +disable_functions=exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source + +; --- Session hardening --- +session.use_strict_mode=1 +session.cookie_httponly=1 +session.cookie_samesite=Lax +session.use_only_cookies=1 +session.use_trans_sid=0 diff --git a/docker/php/php.prod.ini b/docker/php/php.prod.ini index 149ac5e..4054d3d 100644 --- a/docker/php/php.prod.ini +++ b/docker/php/php.prod.ini @@ -22,5 +22,3 @@ session.cookie_secure=1 session.cookie_samesite=Lax session.use_only_cookies=1 session.use_trans_sid=0 -session.sid_length=48 -session.sid_bits_per_character=6