PHP Security Recommendations
The following settings can be used to tighten the security of a PHP installation. To make the recommended changes, locate and open the php.ini file and edit the configuration settings as described below:
| Setting | Description |
|---|---|
| allow_url_fopen=Off allow_url_include=Off | Disable remote URLs for file handling functions, which may cause code injection vulnerabilities. |
| register_globals=Off | Disable register_globals. |
| open_basedir=”c:\inetpub\” | Restrict where PHP processes can read and write on a file system. |
| safe_mode=Off safe_mode_gid=Off | Disable safe mode. |
| max_execution_time=30 max_input_time=60 | Limit script execution time. |
| memory_limit=16M upload_max_filesize=2M post_max_size=8M max_input_nesting_levels=64 | Limit memory usage and file sizes. |
| display_errors=Off log_errors=On error_log=”C:\path\of\your\choice” | Configure error messages and logging. |
| fastcgi.logging=0 | The IIS FastCGI module will fail the request when PHP sends any data on stderr by using the FastCGI protocol. Disable FastCGI logging to prevent PHP from sending error information over stderr and generating 500 response codes for the client. |
| expose_php=Off | Hide the presence of PHP. |
