Debian’s initial PHP configuration is a very good start. This guide provides adjustments improving upon it.

This howto is tested on:

  • Debian 10.0 Buster

This howto is tested with these versions of PHP:

  • 7.3.11


This howto requires:


Detect if sudo is available (“command” is used if not):

command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'

Harden PHP pages security:

${cmdProxy} php-tools --add-mod --mod-priority=50 --mod-name='security-hardened' \
    --mod-settings='; Harden PHP5 security
; priority=50
; Disable PHP exposure
expose_php = Off

;Dangerous : disable system functions. This can break some administration softwares.
;disable_functions = symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd'

Set UTF-8 as default character encoding for mbstring extension:

${cmdProxy} php-tools --add-mod --mod-priority=50 --mod-name='mbstring-config' \
    --mod-settings='; Set mbstring defaults to UTF-8
; priority=50
mbstring.language = UTF-8
mbstring.internal_encoding = UTF-8
mbstring.http_input = UTF-8
mbstring.http_output = UTF-8
mbstring.detect_order = auto'

Set default PHP timezone to be the same as the system default:

${cmdProxy} php-tools --add-mod --mod-priority=50 --mod-name='timezone' \
    --mod-settings="; PHP settings for strtotime
; priority=50
date.timezone = \"$(command cat /etc/timezone)\""

Reload PHP configuration:

${cmdProxy} php-tools --reload


Categories: PHP


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.