Sysop:PHPHardening

This wiki page is not complete nor can you be sure that these tweaks will make your apache completly secure. However, if you know or get to learn additional tweaks, come across mistakes etc. please feel free to add, change and correct them. Thanks!

global settings

expose

expose_php = Off

This will not expose php by adding it to the webserver signature

display_erros

display_errors = Off

This will not display any errors on the webpage and therefore not disclosure any information.

log_errors

However it is much better to log the errors to a file:

log_errors = On
error_log = /path/to/php-errors

enable_dl

Make sure you deactivate the enable_dl option (thus disabling dynmic extension loading)

enable_dl = Off

SafeMode

safe_mode = On

which actually isn't safe but may make exploiting more difficult

disabled_functions

May differ from setup to setup

disable_functions = phpinfo, pcntl_exec, show_source, passthru

allow_url_fopen

Whether to allow the treatment of URLs (like http:// or ftp://) as files.

allow_url_fopen = Off

allow_url_include

Whether to allow include/require to open URLs (like http:// or ftp://) as files.

allow_url_include = Off

links

• http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
• https://docs.indymedia.org/view/Sysadmin/ImcSecurityServerHardeningPHP
• http://www.apachesecurity.net/download/apachesecurity-ch03.pdf