PHP Basic php.ini and .htaccess setting for security

Hello experts,

I've been looking into website security for php.ini and .htaccess files that I'm using. This area is failry new to me and I was hoping that someone can check that I haven't missed anything out? My files contain the details below. Both files are kept in the root directory.

AddType application/x-httpd-php .dhtml

allow_url_fopen = off

expose_php = off

magic_quotes_gpc = off

magic_quotes_sybase = off

register_globals = off

AddType x-mapp-php4 .html .htm .shtml

Options -Indexes

<Files *.ini>
Order deny,allow
Deny from All 

Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

<Files *.ini>... should not be needed. Your php.ini file should not be located within your readable web directories. I always compile PHP with --with-config-file-path=/usr/local/apache2/conf - which is not accessible by virtual hosts.

Change a few items to httpd.conf, or conf/extra/httpd-default.conf as well:

ServerTokens Prod
ServerSignature Off

Also remove Options Indexes unless you really have a reason to use them. This will prevent your code from being exposed if there is no default document.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
allanch08Author Commented:
thanks for the reply. I have a shared hosting package so my options are limited but I will try your suggestions.
allanch08Author Commented:
I've done more research and I could add this as well:

# Do not display error files.
display_errors = off
display_startup_errors = off
log_errors = on
error_reporting = E_ALL
These are all good settings for PHP. If you will be doing any dev work on that box, put the display_errors=on until you are done testing. It avoids having to look at syslogs for errors.

Generally, I like to code a 404error.php, 403error.php and a 501error.php pages that has PHP that handles these errors instead of the end user getting an error page. Then set the error error document in apache conf files to point to this pages.

allanch08Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.