PHP.INI Security Settings

KB Product Documentation PHP PHP.INI Security Settings Viewed: 4872
0 0

PHP.INI Security Settings

To protect your server from potential threats, it’s crucial to configure several PHP functions correctly. While securing your entire system can be complex and may require various specialized tools, this tutorial will focus on some basic steps that don’t require extra spending.

Let’s explore some initial configurations to increase the security of your PHP application hosted on the platform.

The main PHP configuration file, php.ini, includes many default settings that you can customize or expand upon to suit your application’s needs. You’ll find this file in the etc directory of your Apache or NGINX-PHP application server. As a platform customer, you have full access to edit this file, so let’s review which settings you can adjust to improve your server’s security.

Keep in mind that the values suggested below are recommendations. Before making any changes, ensure that these configurations align with your application’s requirements to avoid compromising its performance.

To begin, press the Config button for your Apache or NGINX server. In the new tab that appears, navigate to the etc directory and open the php.ini file.

Open Php.ini File

Step 1. Insert the string below to deactivate insecure functions:


disable_functions = phpinfo, system, mail, exec
Additional Security can be improved by turning off the following functions:
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Deactivate Insecure Functions

Step 2. Determine whether the amount of resources allowed is suitable for your application.

  • The maximum time a script is allowed to run is 30 seconds (max_execution_time = 30).
  • Each script has up to 60 seconds to parse request data (max_input_time = 60).
  • The largest file that can be uploaded is limited to 2MB (upload_max_filesize = 2M).
  • The maximum amount of memory a script can use is 8MB (memory_limit = 8M). Although the default is 128MB, it’s fine to lower this as long as it doesn’t affect your application’s performance.
  • The maximum size for POST data that PHP will accept is 8MB (post_max_size = 8M)

Step 3. You can limit the following functions if they aren’t essential for your application:

  • Disable HTTP file uploads by setting file_uploads to Off.
  • Prevent PHP error messages from being displayed to end users by setting display_errors to Off.
  • Limit external access to your PHP environment using safe_mode_allowed_env_vars set to PHP_.
  • Stop PHP from exposing its version information by setting expose_php to Off.
  • Disable the automatic registration of global variables for input data with register_globals set to Off.
  • Prevent opening remote files by setting allow_url_fopen to Off.

Step 4. To learn more about the current security status, activate these features:

  • Ensure that the PHP redirecting setting cgi.force_redirect is set to 0 for appropriate redirection.
  • Enable comprehensive error logging by turning on the log_errors setting.

5. Activate any accessible safety protocols:

  • Activate safe mode by setting safe_mode to On.
  • Enable SQL safe mode by setting sql.safe_mode to On.
Note: When you’re setting up those settings we mentioned earlier, make sure to think about what your application needs. Sometimes, though, those options might not be there for you to use.