PHP is an open-source server-side scripting language and it is a widely used. The Apache web server provides access to files and content via the HTTP OR HTTPS protocol. A misconfigured server-side scripting language can create all sorts of problems. So, PHP should be used with caution. Here are twenty-five php security best practices for sysadmins for configuring PHP securely.
Our Sample Setup For PHP Security Tips
- DocumentRoot: /var/www/html
- Default Web server: Apache ( you can use Lighttpd or Nginx instead of Apache)
- Default PHP configuration file: /etc/php.ini
- Default PHP extensions config directory: /etc/php.d/
- Our sample php security config file: /etc/php.d/security.ini (you need to create this file using a text editor)
- Operating systems: RHEL / CentOS / Fedora Linux (the instructions should work with any other Linux distributions such as Debian / Ubuntu or other Unix like operating systems such as OpenBSD/FreeBSD/HP-UX).
- Default php server TCP/UDP ports: none