1
0

fix(security): harden PHP configuration for dev and production

Apply consistent security settings to both environments so issues
surface early in development rather than first appearing in prod.

Both environments:
- expose_php=Off — hide PHP version from X-Powered-By
- allow_url_include=Off — prevent remote file inclusion
- open_basedir=/var/www:/tmp — restrict filesystem access
- disable_functions — block shell execution functions unused by the app
- Session: strict_mode, httponly, samesite=Lax, use_only_cookies

Production additionally:
- display_errors=0, log_errors=1
- session.cookie_secure=1 (HTTPS-only)

Removed deprecated sid_length/sid_bits_per_character (PHP 8.5+).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-13 19:58:23 +01:00
parent 2b9ed78efd
commit b89fd792bf
2 changed files with 17 additions and 2 deletions

View File

@@ -1,6 +1,23 @@
; --- Error handling (verbose for development) ---
display_errors=1
display_startup_errors=1
error_reporting=E_ALL
log_errors=1
; --- Resource limits ---
memory_limit=256M
upload_max_filesize=10M
post_max_size=12M
; --- Security hardening (match prod to catch issues early) ---
expose_php=Off
allow_url_include=Off
open_basedir=/var/www:/tmp
disable_functions=exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source
; --- Session hardening ---
session.use_strict_mode=1
session.cookie_httponly=1
session.cookie_samesite=Lax
session.use_only_cookies=1
session.use_trans_sid=0