Secure PHP configuration
A web application written on top of an insecurely configured PHP parser is as good as an account with a weak password.
A good guide (article) on configuring safely PHP can be found here, but for the ones truly interested about the subject I would recommend the PHP 5 from OWASP. Guide which besides telling you how to configure PHP, also presents the implication of every insecure configuration of it.
Another thing I would modify (and it’s not mentioned anywhere) is the session cookies lifetime. Maybe a little annoying for the visiting user, but it protects better (sometimes) against CSRF that a cookie which expires on browser restart.
session.cookie_lifetime = 600
But don’t think you’re done yet… This is just the beginning. The guys back at PHP Security Consortium have created an automated testing suite for PHP configuration. You can download it from here.
Doing the test on the php.ini-dist gave me 7 Notices, 2 Passes and 3 Warnings. And doing the tests on php.ini-recommended gave me 5 Notices, 4 Passes and 3 Warnings.
If you think that is too much effort, than you’re gonna love their alternative. As the testing suite above, they have also created a Greasemonkey script version. You can download it from here. For Greasemonkey phpinfo() Security Checker to work you just have to visit a page that outputs the result of phpinfo().
