[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 643
  • Last Modified:

PHP Basic php.ini and .htaccess setting for security

Hello experts,

I've been looking into website security for php.ini and .htaccess files that I'm using. This area is failry new to me and I was hoping that someone can check that I haven't missed anything out? My files contain the details below. Both files are kept in the root directory.
PHP.INI

AddType application/x-httpd-php .dhtml

allow_url_fopen = off

expose_php = off

magic_quotes_gpc = off

magic_quotes_sybase = off

register_globals = off


.HTACCESS
AddType x-mapp-php4 .html .htm .shtml

Options -Indexes

<Files *.ini>
Order deny,allow
Deny from All 
</Files>

Open in new window

0
allanch08
Asked:
allanch08
  • 3
  • 2
2 Solutions
 
gmckeown99Commented:
<Files *.ini>... should not be needed. Your php.ini file should not be located within your readable web directories. I always compile PHP with --with-config-file-path=/usr/local/apache2/conf - which is not accessible by virtual hosts.

Change a few items to httpd.conf, or conf/extra/httpd-default.conf as well:

ServerTokens Prod
ServerSignature Off

Also remove Options Indexes unless you really have a reason to use them. This will prevent your code from being exposed if there is no default document.
0
 
allanch08Author Commented:
thanks for the reply. I have a shared hosting package so my options are limited but I will try your suggestions.
0
 
allanch08Author Commented:
I've done more research and I could add this as well:

# Do not display error files.
display_errors = off
display_startup_errors = off
log_errors = on
error_reporting = E_ALL
0
 
gmckeown99Commented:
These are all good settings for PHP. If you will be doing any dev work on that box, put the display_errors=on until you are done testing. It avoids having to look at syslogs for errors.

Generally, I like to code a 404error.php, 403error.php and a 501error.php pages that has PHP that handles these errors instead of the end user getting an error page. Then set the error error document in apache conf files to point to this pages.



0
 
allanch08Author Commented:
thanks
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now