PHP-Konfiguration

Hier eine Sammlung von PHP-Konfigurationssetzungen die für den Produktivbetrieb eines SiteKit-Systems in erwägung gezogen werden sollten.

Allgemein

; display_errors
;   Default Value: On
;   Development Value: On
;   Production Value: Off
display_errors = Off

; error_reporting
;   Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
;   Development Value: E_ALL
;   Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
error_reporting = E_ALL

; log_errors
;   Default Value: Off
;   Development Value: On
;   Production Value: On
log_errors = On

Sicherheit

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
; expose_php = On
expose_php = Off

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
; http://php.net/allow-url-fopen
; allow_url_fopen = On
allow_url_fopen = Off

; Switch whether to compile assertions at all (to have no overhead at run-time)
; -1: Do not compile at all
;  0: Jump over assertion at run-time
;  1: Execute assertions
; Changing from or to a negative value is only possible in php.ini!
; (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1)
; Default Value: 1
; Development Value: 1
; Production Value: -1
; http://php.net/zend.assertions
; zend.assertions = 1
zend.assertions = -1

; Assert(expr); active by default.
; http://php.net/assert.active
;assert.active = On
assert.active = Off

Session-Sicherheit

; Whether to use strict session mode.
; Strict session mode does not accept an uninitialized session ID, and
; regenerates the session ID if the browser sends an uninitialized session ID.
; Strict mode protects applications from session fixation via a session adoption
; vulnerability. It is disabled by default for maximum compatibility, but
; enabling it is encouraged.
; https://wiki.php.net/rfc/strict_sessions
; https://www.owasp.org/index.php/Session_fixation
; session.use_strict_mode = 0
session.use_strict_mode = 1

; session.cookie_secure definiert, ob Cookies nur über sichere Verbindungen geschickt werden sollen
; session.cookie_secure = 0
session.cookie_secure = 1

; Whether or not to add the httpOnly flag to the cookie, which makes it
; inaccessible to browser scripting languages such as JavaScript.
; http://php.net/session.cookie-httponly
; session.cookie_httponly = 0
session.cookie_httponly = 1

Opcache

; Determines if Zend OPCache is enabled
;opcache.enable=1
opcache.enable=1

; The maximum number of keys (scripts) in the OPcache hash table.
; Only numbers between 200 and 1000000 are allowed.
;opcache.max_accelerated_files=10000
opcache.max_accelerated_files=100000

; If disabled, all PHPDoc comments are dropped from the code to reduce the
; size of the optimized code.
;opcache.save_comments=1
opcache.save_comments=0

; The OPcache shared memory storage size.
;opcache.memory_consumption=128

; The amount of memory for interned strings in Mbytes.
;opcache.interned_strings_buffer=8