Closed JGoutin closed 1 year ago
Already in Fedora defaults (Fedora 37/PHP 8.1):
expose_php = Off
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
ignore_repeated_errors = Off
allow_url_include = Off
upload_max_filesize = 2M
enable_dl = Off
disable_classes =
memory_limit = 50M # Default to 128M
post_max_size = 20M # Default to 2M
max_execution_time = 60 # Set to 30
max_file_uploads = 2 # Set to 20
report_memleaks = On
session.auto_start = Off
session.use_trans_sid = 0
session.use_cookies = 1
session.use_only_cookies = 1
Missing:
allow_url_fopen = Off
allow_webdav_methods = Off
session.gc_maxlifetime = 600 # Set to 1440
track_errors = Off
html_errors = Off
session.use_strict_mode = 1
session.cookie_lifetime = 14400
session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = Strict
session.cache_expire = 30 # Set to 180
session.sid_length = 256 # Set to 26
session.sid_bits_per_character = 6 # set to 5
session.referer_check = /application/path
# Must be optional and/or configurable
file_uploads = Off
disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo # see also: http://ir.php.net/features.safe-mode
session.name = myPHPSESSID
session.cookie_domain = full.qualified.domain.name
open_basedir = /path/DocumentRoot/PHP-scripts/ # Warning: break some cache
upload_tmp_dir = /path/PHP-uploads/ # Should use a /tmp sub-directory
session.save_path = /path/PHP-session/ # Warning: Break garbage collection
#session.cookie_path = /application/path/
doc_root = /path/DocumentRoot/PHP-scripts/
include_path = /path/PHP-pear/
extension_dir = /path/PHP-extensions/
# ignored
error_log = /valid_path/PHP-logs/php_error.log # Redirected to Nginx
mime_magic.magicfile = /path/PHP-magic.mime
Provide hardening based on OWASP cheatsheet: https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html
Refs: