This is an overview of the recommended directives for your application. The most important directives have been collected here, for a quick review. The whole list of directive is available as a link to the manual, when applicable. When an extension is missing from the list below, either it as no specific configuration directive, or it is not used by the current code.
| Directive | Suggestion | Description |
|---|---|---|
| pdo | ||
| Extra configurations | PDO runtime configuration | |
| session | ||
| session.name | This directive sets the name of the session, which is also used as cookie. It is recommended to give an explicit name to this, and avoid the default value of PHPSESSID. | |
| session.path | Avoid /tmp | This directive sets the path where the session files will be store (if using a file storage). It is recommended to avoid using /tmp, as this folder is accessible to everyone who has access to the machine. Set it to some path that is dedicated to the webserver. |
| session.auto_start | 1 | This directive allows the session to be started at request time. This is the default behavior for most web sites. |
| session.cookie_httponly | 1 | Mark the session cookie as reserved for HTTP communication. This will prevent the cookie to be available for Javascript, and help prevent XSS (although, not all browsers support it). |
| session.use_only_cookies | 1 | Limit the transmission of the session id to cookies. |
| session.use_trans_sid | 0 | This will make PHP put the session token in the URL, instead of cookies. This is a security risk, as the token may be easily accessed and shared. It is recommended to avoid this. |
| session.cookie_domain | This directive will limit the diffusion of the session cookie to the specified domain name. The more restrictive the better. Aka, session.cookie_domain=".net" will restrict the cookie to every ".net" domains, and not every domain. session.cookie_domain="www.yourdomain.net" will restrict it to the eponymous domain, and won't share the cookie with "images.yourdomain.net", which may be too restrictive. | |
| Extra configurations | Session runtime configuration | |
| Enable DL | ||
| enable_dl | Off | Whether or not to enable the dl() function. The dl() function does NOT work properly in multithreaded servers, such as IIS or Zeus, and is automatically disabled on them. |
| Disable features | ||
| disable_functions | exec, passthru, shell_exec, system, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, popen, pclose, curl_exec, curl_multi_exec, show_source, symlink, fsockopen, pfsockopen, socket_connect, socket_create_listen, socket_create_pair, socket_create, symlink, mail, apache_child_terminate, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, dl, leak, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid | This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. ; 1 sensitive functions were found in the code. Don't disable those : |
| disable_classes | phar | This directive allows you to disable certain classes for security reasons. It takes on a comma-delimited list of class names. disable_classes is not affected by Safe Mode. This directive must be set in php.ini. ; 1 sensitive classes were found in the code. Don't disable those : |