PHP Security Settings

GAIA should just work fine with most configurations of php.ini. However, for the security of your webserver consider making the following settings.

Setting Value Comments
display_errors Off Don't send error messages to the HTML output. For a test server you might want this set to On for easier debugging.
log_errors On Write error messages into a log file.
allow_url_fopen Off Whether to allow the treatment of URLs (like http:// or ftp://) as files. GAIA uses curl to access remote documents and does not require allow_url_fopen to be on. Switch off to secure your webserver.

wip Comments invited on the usefulness (or lack of) of the open_basedir setting.

bubble Not very useful unless you are very aware it is set! You can easily get caught out by modules which PHP claims to not find even though they are in the include_path, if the path is not listed in the open_basedir setting.

Topic revision: r2 - 2009-12-11 - 14:05:21 - SteveMarple
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback