PHP Security: Hardening Your Server Through php.ini Settings

PHP · 19.04.2026
PHP Security: Hardening Your Server Through php.ini Settings

Why Harden PHP

Proper php.ini configuration closes entire vulnerability classes: remote code execution (RCE), server information disclosure, and open_basedir bypasses. This is the first step in securing any PHP server.

Hide PHP Version

expose_php = Off

Disable Dangerous Functions

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,\
    curl_exec,parse_ini_file,show_source,phpinfo

Restrict Filesystem Access

open_basedir = /var/www/mysite:/tmp
allow_url_fopen = Off
allow_url_include = Off

Secure Session Settings

session.cookie_httponly = On
session.cookie_secure = On
session.use_strict_mode = On
session.cookie_samesite = Strict

PHP Security Checklist

  • expose_php = Off — hide PHP version
  • display_errors = Off — never show errors to users
  • log_errors = On — log errors to file
  • allow_url_include = Off — block remote includes
  • disable_functions — disable dangerous functions
  • session.cookie_httponly = On — protect sessions
← Back to Knowledge Base Ask Support