How to config PHP to secure Web Server

There are certain PHP configuration tat affect security features.  The following recommended security configuration options is for production servers.

  • register_globals set to off
  • safe_mode set to off
  • error_reporting set to off
  • disable these functions: system(), exec(), passthru(), shell_exec(), proc_open(), and popen()
  • open_basedir set for both the /tmp directory and the web root so that scripts cannot access files outside a selected area
  • expose_php set to off
  • allow_url_fopen set to off

register_globals is turned off by default in PHP 4.2 and later.

safe_mode doesn’t really make anything safe.

Do not show error information in public or normal users. It attract hacker to discover the way to get into the system.  Enable error logging instead of the error displaying.

Disable expose_php to hide the PHP version number.

Be noticed that it is very important to keep the production server safe.