← Back to glossary

php.ini Security Settings

php OWASP A5:2021 PHP 5.0+ Intermediate

Also Known As

php.ini PHP configuration file PHP runtime settings

TL;DR

Critical php.ini directives that harden PHP applications by disabling dangerous features and restricting runtime behaviour.

Explanation

Key security settings in php.ini include: display_errors=Off and log_errors=On (prevent information leakage), expose_php=Off (hides version), allow_url_include=Off (prevents RFI), disable_functions listing dangerous functions (exec, system, passthru, shell_exec), open_basedir restricting file access to the application directory, session.use_strict_mode=On and session.cookie_httponly=On (session security), post_max_size and upload_max_filesize (DoS prevention). Review settings regularly as PHP defaults favour development over security.

Common Misconception

✗ php.ini settings apply uniformly to all PHP processes on a server. Settings can be overridden per-directory with .htaccess, per-virtualhost, per-pool in PHP-FPM, and at runtime with ini_set() — understanding the INI_ALL/INI_SYSTEM/INI_PERDIR permission levels is essential for debugging unexpected behaviour.

Why It Matters

php.ini controls PHP's runtime behaviour at the server level — misconfigured settings silently affect security, performance, and error visibility across every script.

Common Mistakes

Not having separate php.ini for CLI and FPM — they often need different memory_limit and timeout values.
Leaving expose_php = On — the X-Powered-By header advertises your PHP version to attackers.
Not setting session.cookie_secure, session.cookie_httponly, and session.cookie_samesite at the php.ini level as defaults.
Using large upload_max_filesize without corresponding post_max_size — POST data is silently truncated.

Code Examples

✗ Vulnerable

; php.ini security issues:
expose_php = On           ; Advertises PHP version
display_errors = On       ; Stack traces to users in production
allow_url_include = On    ; Enables remote file inclusion
register_globals = On     ; Removed in PHP 5.4 but shows config hygiene issues
session.cookie_httponly = 0 ; Cookies readable by JS

✓ Fixed

; Key php.ini settings

; Development:
error_reporting        = E_ALL
display_errors         = On
display_startup_errors = On

; Production:
error_reporting  = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors   = Off    ; CRITICAL — never expose to users
log_errors       = On
error_log        = /var/log/php/error.log
expose_php       = Off    ; hides X-Powered-By header
max_execution_time = 30
memory_limit     = 256M
upload_max_filesize = 10M
post_max_size    = 12M
date.timezone    = UTC

; Check active settings at runtime:
ini_get('memory_limit'); // specific value
phpinfo();               // full page — NEVER in production

References

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,445 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 1

Perplexity 1

Perplexity 17 Amazonbot 8 ChatGPT 8 Google 4 Unknown AI 3 SEMrush 2

Also referenced

allow_url_fopen / allow_url_include 104 Security Misconfiguration 34 PHP Session 23

How they use it

crawler 38 crawler_json 3 pre-tracking 1

Related categories

php 6.6k security 4.2k

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: Low

⚡ Quick Fix

Production php.ini checklist: display_errors=Off, log_errors=On, expose_php=Off, upload_max_filesize match your needs, memory_limit=256M, opcache.enable=1

📦 Applies To

PHP 5.0+ web cli

🔗 Prerequisites

PHP-FPM OPcache Error Handling in PHP

🔍 Detection Hints

display_errors=On production; expose_php=On; opcache.enable=0; allow_url_include=On dangerous setting

Auto-detectable: ✓ Yes phpinfo semgrep lynis

⚠ Related Problems

Information Disclosure Security Misconfiguration performance degradation

🤖 AI Agent

Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Medium Context: File