Configuration-driven PHP security advice considered harmful

Feb 2nd 2017

Scott Arciszewski debunks the commonly given advice on securing your PHP installation by setting some php.ini values.

There have been countless examples posted in various places (Reddit, Hacker News, Twitter, Facebook, Slashdot, and even LinkedIn group discussions), and while a handful occasionally contain one or two tips that might be beneficial towards securing your PHP applications, almost all of the advice they contain is either wrong, a huge waste of time, downright silly, or all of above.
As part of a team that specializes in application security (in particular: securing PHP applications), I feel it's high time someone cleared the air about this advice.

https://paragonie.com/blog/2017/01/configuration-driven-php-security-advice-considered-harmful

← Why a software patch is called a patch

A link blog to stay in touch with the bigger PHP community →

Share Post LinkedIn | Follow @freekmurze

Join 9,500+ smart developers

Get my monthly newsletter with what I learn from running Spatie, building Oh Dear, and maintaining 300+ open source packages. Practical takes on Laravel, PHP, and AI that you can actually use.

"Freek publishes a super resourceful and practical newsletter. A must for anyone in the Laravel space"

Joey Kudish — Shipping with AI as a teammate

No spam. Unsubscribe anytime. You can also follow me on X.

Found something interesting to share? Submit a link to the community section.

I'm a Laravel developer at Spatie and Oh Dear. I maintain 300+ open source packages for the Laravel community.

Follow on X

Oh Dear monitors your entire website, so you don't have to. Uptime, SSL certificates, broken links, scheduled tasks, DNS, and more — all in one place.

Get instant notifications when something breaks, paired with a developer friendly API and thorough documentation.

Create a public status page in under a minute. Start your free trial.