Web Server Hardening - PHP

1. Secure PHP Configuration in php.ini

1.1 OWASP A2:2017 - Broken Authentication 

Changing the Session File Path

session.save_path="C:\xampp\tmp"

1.2 OWASP A3:2017-Sensitive Data Exposure

Error Reporting For Production

error_reporting=E_ALL
display_errors=Off
log_errors=On

Disable PHP version output

expose_php=Off

1.3 OWASP A5:2017 - Broken Access Control 

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-639: Authorization Bypass Through User-Controlled Key

Disable File Includes

allow_url_fopen = Off
allow_url_include = Off

1.4 OWASP A6:2017 - Security Misconfiguration

Disable Unused PHP Function

disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open

Disable Global Variable

register_globals=Off

Restrict File Uploads

file_uploads=Off
upload_tmp_dir="C:\securelocation"
upload_max_filesize=2M

1.5 OWASP A7:2017 - Cross Site Scripting (XSS) 

CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

HTTP Response HTTPOnly and Secure Flag Set

session.cookie_httponly = True
session.cookie_secure = True

---

2. PHP Configuration Assessment Tool

SektionEins GmbH - PHP Secure Configuration Checker 
https://github.com/sektioneins/pcc

---

3. PHP Security Extension

Suhosin

https://suhosin.org/stories/index.html

---

Reference:
OWASP - PHP Configuration Cheat Sheet *