forked from fa/breadcrumb-the-shire
fix(security): harden PHP configuration for dev and production
Apply consistent security settings to both environments so issues surface early in development rather than first appearing in prod. Both environments: - expose_php=Off — hide PHP version from X-Powered-By - allow_url_include=Off — prevent remote file inclusion - open_basedir=/var/www:/tmp — restrict filesystem access - disable_functions — block shell execution functions unused by the app - Session: strict_mode, httponly, samesite=Lax, use_only_cookies Production additionally: - display_errors=0, log_errors=1 - session.cookie_secure=1 (HTTPS-only) Removed deprecated sid_length/sid_bits_per_character (PHP 8.5+). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,23 @@
|
||||
; --- Error handling (verbose for development) ---
|
||||
display_errors=1
|
||||
display_startup_errors=1
|
||||
error_reporting=E_ALL
|
||||
log_errors=1
|
||||
|
||||
; --- Resource limits ---
|
||||
memory_limit=256M
|
||||
upload_max_filesize=10M
|
||||
post_max_size=12M
|
||||
|
||||
; --- Security hardening (match prod to catch issues early) ---
|
||||
expose_php=Off
|
||||
allow_url_include=Off
|
||||
open_basedir=/var/www:/tmp
|
||||
disable_functions=exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source
|
||||
|
||||
; --- Session hardening ---
|
||||
session.use_strict_mode=1
|
||||
session.cookie_httponly=1
|
||||
session.cookie_samesite=Lax
|
||||
session.use_only_cookies=1
|
||||
session.use_trans_sid=0
|
||||
|
||||
Reference in New Issue
Block a user