IIS 7.0 PHP Security Recommendations

Recommendations Security PHP 7.0 IIS

The following settings can be used to tighten the security of a PHP installation. To make the recommended changes locate and open the php.ini file and edit the configuration settings as described below:

Setting Description
allow_url_fopen=Off
allow_url_include=Off
Disable remote URLs for file handling functions, which may cause code injection vulnerabilities.
register_globals=Off Disable register_globals.
open_basedir="c:\inetpub\" Restrict where PHP processes can read and write on a file system.
safe_mode=Off
safe_mode_gid=Off
Disable safe mode
max_execution_time=30
max_input_time=60
Limit script execution time
memory_limit=16M
upload_max_filesize=2M
post_max_size=8M
max_input_nesting_levels=64
Limit memory usage and file sizes
display_errors=Off
log_errors=On
error_log="C:\path\of\your\choice"
Configure error messages and logging
fastcgi.logging=0 IIS FastCGI module will fail the request when PHP sends any data on stderr by using FastCGI protocol. Disabling FastCGI logging will prevent PHP from sending error information over stderr, and generating 500 response codes for the client.
expose_php=Off Hide presence of PHP


Comments are closed