search

JGoutin / ansible_home

A collection of Ansible roles for home free software self-hosting.
https://galaxy.ansible.com/jgoutin/home
GNU General Public License v3.0
31 stars 6 forks source link

php-fpm: php.ini hardening #34

Closed JGoutin closed 1 year ago

JGoutin commented 3 years ago

Provide hardening based on OWASP cheatsheet: https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html

Refs:

JGoutin commented 1 year ago

Already in Fedora defaults (Fedora 37/PHP 8.1):

expose_php              = Off
error_reporting         = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors          = Off
display_startup_errors  = Off
log_errors              = On
ignore_repeated_errors  = Off
allow_url_include       = Off
upload_max_filesize     = 2M
enable_dl               = Off
disable_classes         =
memory_limit            = 50M  # Default to 128M
post_max_size           = 20M # Default to 2M
max_execution_time      = 60 # Set to 30
max_file_uploads        = 2  # Set to 20
report_memleaks         = On
session.auto_start               = Off
session.use_trans_sid            = 0
session.use_cookies              = 1
session.use_only_cookies         = 1

Missing:

allow_url_fopen         = Off
allow_webdav_methods    = Off
session.gc_maxlifetime  = 600 # Set to 1440
track_errors            = Off
html_errors             = Off

session.use_strict_mode          = 1
session.cookie_lifetime          = 14400
session.cookie_secure            = 1
session.cookie_httponly          = 1
session.cookie_samesite          = Strict
session.cache_expire             = 30  # Set to 180
session.sid_length               = 256 # Set to 26
session.sid_bits_per_character   = 6 # set to 5
session.referer_check   = /application/path

# Must be optional and/or configurable
file_uploads            = Off
disable_functions       = system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo # see also: http://ir.php.net/features.safe-mode
session.name                     = myPHPSESSID
session.cookie_domain            = full.qualified.domain.name

open_basedir            = /path/DocumentRoot/PHP-scripts/  # Warning: break some cache
upload_tmp_dir          = /path/PHP-uploads/  # Should use a /tmp sub-directory
session.save_path                = /path/PHP-session/  # Warning: Break garbage collection
#session.cookie_path             = /application/path/
doc_root                = /path/DocumentRoot/PHP-scripts/
include_path            = /path/PHP-pear/
extension_dir           = /path/PHP-extensions/

# ignored
error_log               = /valid_path/PHP-logs/php_error.log # Redirected to Nginx
mime_magic.magicfile    = /path/PHP-magic.mime