Posted by Stas on December 17, 2006
Continuing on the theme of security, another idea: having php.ini switch production=On. What it would so is:
- display_errors automatically disabled – or filenames, etc. are removed from error messages
- phpinfo() doesn’t work – this is protection for people leaving debug pages for Google to grab and for automated exploit scritpts to visit then. Maybe too harsh – alternatively – doesn’t work if requestor is not localhost? This might be a problem with insecure URL fopen though.
- expose_php off or stripped to not give out full version
- max_execution_time and memory_limit ensured to not be unlimited
- other things people constantly forget to configure correctly?