PHP
- Disable error messages
-
expose_php Off
Check you can’t get info by doing telnet localhost 80 and then issueing: HEAD / HTTP/1.0
-
session.use_only_cookies = 1
-
allow_url_fopen Off
[if you don’t really need the opposite]
-
register_globals = Off
-
magic_quotes_gpc = ???
This directive was introduced for improving security preventing SQL Injections, and it does. But it’s much better to put it Off and take care of escaping characters by yourself inside the PHP code for two main reasons. It doesn’t use a native function for your database and adds a level of complexity (infact if one of your input data can contain some quotes you’d need to use the stripslashes function )
Apache
-
ServerTokens ProductOnly
-
ServerSignature Off
Check you can’t get info by doing telnet localhost 80 and then issueing: HEAD / HTTP/1.0
In a shared environment you could use these directives as well (for PHP):
- disable_functions
- enable_dl
- memory_limit
- max filesize in uploading
- safemode ON
