PHP

Prerequisite
To use this guide, you will need Nginx installed and configured.

Common configuration
In Debian, the different flavour of PHP have their own configuration file. This allow fine grained configuration but makes it harder to have common behaviour.

Let’s create a common file read by all PHP interpreters.

Debian Jessie
Unless specified, all the settings bellow should go to

Debian Stretch
Unless specified, all the settings bellow should go to

Integrate with Nginx
Create file

Security
PHP is known to have a particularly poor track record in term of security. Although things are improving, it is recommended to harden you installation.

Hide PHP
It is generally a bad idea to give information on the technologies used by your system. This setting make sure that PHP is not exposed.

Session IDs
By default PHP session IDs are not very random. Let's get some more entropy

Prevent session fixation attacks

Limit File Access
By default, PHP allow scripts to read any file on the machine including sensible files like. The setting bellow limit that. Of course when new sites are added, the list of folder need to be extended.

Limit access to POST data
This setting only apply to Debian 8 (Jessie) and bellow