PHP Directives List

This is an overview of the recommended directives for your application. The most important directives have been collected here, for a quick review. The whole list of directive is available as a link to the manual, when applicable. When an extension is missing from the list below, either it as no specific configuration directive, or it is not used by the current code.

DirectiveSuggestionDescription
apache
child_terminatetrueSpecify whether PHP scripts may request child process termination on end of request.
Extra configurations Apache runtime configuration
com
com.allow_dcomFalseAllow Distributed-COM calls. Keep if false unless you need Distributed com calls.
Extra configurations Com runtime configuration
curl
Extra configurations Curl runtime configuration
date
date.timezoneEurope/AmsterdamIt is not safe to rely on the system's timezone settings. Make sure the directive date.timezone is set in php.ini.
file
allow_url_fopenOffUnless you need to access remote files, it is better to be safe and forbid this feature
realpath_cache_size128kDetermines the size of the realpath cache to be used by PHP. The default value of "16k" is usually too low for modern application that open many files (autoload, fopen, filet_get_contents...). It is recommended to make this value up to 128 to 256k, and reduce it by testing with realpath_cache_get().
realpath_cache_ttl3600Duration of time (in seconds) for which to cache realpath information for a given file or directory. If the application's code doesn't change too often, you may set this directive to 3600 (one hour) or even more.
Extra configurations File System runtime configuration
filter
filter.defaultunsafe_rawSet the default filter when using functions like filter_input(), filter_var() or their _array() version. Give this a strict level, like 'string' by default, and make every call to the previous functions configure the filters case by case.
Extra configurations Filter runtime configuration
imagick
Extra configurations Imagick runtime configuration
intl
intl.default_localeThe locale that will be used in intl functions when none is specified (either by omitting the corresponding argument or by passing NULL). These are ICU locales, not system locales.
intl.error_levelE_WARNINGThe level of the error messages generated when an error occurs in ICU functions. This is a PHP error level, such as E_WARNING. It can be set to 0 in order to inhibit the messages. This does not affect the return values indicating error or the values returned by intl_get_error_code() or by the class specific methods for retrieving error codes and messages. Choosing E_ERROR will terminate the script whenever an error condition is found on intl classes.
intl.use_exceptionsfalseIf set to true, an exception will be raised whenever an error occurs in an intl function. The exception will be of type IntlException. This is possibly in addition to the error message generated due to intl.error_level.
Extra configurations Intl runtime configuration
mail
SMTPlocalhostUsed under Windows only: the host that will be sending the mail.
smtp_port25Used under Windows only: the port on the host that will be sending the mail.
sendmail_path/usr/sbin/sendmail -t -iThe location of the mail sending program (here, smtp, but it may also be qmail or else). Configure will try to locate smtp, but if it fails, you may set this directive correctly.
sendmail_fromyour-email@your-domain.comIndicates an origin for any mail being send with PHP. This should be set, so as to avoid being mistaken as spam, and provide an with which communicate in case of any problem.
mail.log/var/log/phpmail.logKeep log of mails being send with PHP. Be careful if the data being send are sensitive (destination is noted).
mail.add_x_headeryour-domain.comAdds a special X-PHP-Originating-Script headers, providing more information on the origin of the mail, but which will be mostly hidden from the final reader (unless it checks the mail headers).
Extra configurations Mail runtime configuration
mbstring
default_charsetUTF-8This directive handle encoding for input, internal and output. default_charset
mbstring.internal_encodingDo not rely on itThis directive is deprecated or removed since PHP 5.6. It is recommended to use the "default_charset" directive instead.
Extra configurations mbstring runtime configuration
ob
output_buffering4096You can enable output buffering for all files by setting this directive to 'On'. If you wish to limit the size of the buffer to a certain size - you can use a maximum number of bytes instead of 'On', as a value for this directive (e.g., output_buffering=4096). As of PHP 4.3.5, this directive is always Off in PHP-CLI.
output_handler mb_output_handler or ob_iconv_handler(), ob_gzhandler() or zlib.output_compression;Use the first suggested values to handle character encoding. Use the second values for on the fly compression; Use your own function if you have one.
implicit_flushFalseChanging this to TRUE tells PHP to tell the output layer to flush itself automatically after every output block : this has performances penalty.
opcache
opcache.enableOnBy putting aliases of URI in the php.ini, you won't hardcode the DSN in your code.
opcache.memory_consumption128This directive set the amount of opcode cache. The more the better, as long as it doesn't swap.
opcache.memory_consumption4000The maximum number of files OPcache will cache. Estimate 32kb a file.
Extra configurations Opcache runtime configuration
openssl
openssl.cafile Location of Certificate Authority file on local filesystem which should be used with the verify_peer context option to authenticate the identity of the remote peer.
openssl.capath If cafile is not specified or if the certificate is not found there, the directory pointed to by capath is searched for a suitable certificate. capath must be a correctly hashed certificate directory.
pcre
Extra configurations PCRE runtime configuration
pdo
Extra configurations PDO runtime configuration
session
session.nameThis directive sets the name of the session, which is also used as cookie. It is recommended to give an explicit name to this, and avoid the default value of PHPSESSID.
session.pathAvoid /tmpThis directive sets the path where the session files will be store (if using a file storage). It is recommended to avoid using /tmp, as this folder is accessible to everyone who has access to the machine. Set it to some path that is dedicated to the webserver.
session.auto_start1This directive allows the session to be started at request time. This is the default behavior for most web sites.
session.cookie_httponly1Mark the session cookie as reserved for HTTP communication. This will prevent the cookie to be available for Javascript, and help prevent XSS (although, not all browsers support it).
session.use_only_cookies1Limit the transmission of the session id to cookies.
session.use_trans_sid0This will make PHP put the session token in the URL, instead of cookies. This is a security risk, as the token may be easily accessed and shared. It is recommended to avoid this.
session.cookie_domainThis directive will limit the diffusion of the session cookie to the specified domain name. The more restrictive the better. Aka, session.cookie_domain=".net" will restrict the cookie to every ".net" domains, and not every domain. session.cookie_domain="www.yourdomain.net" will restrict it to the eponymous domain, and won't share the cookie with "images.yourdomain.net", which may be too restrictive.
Extra configurations Session runtime configuration
standard
memory_limit120This sets the maximum amount of memory in bytes that a script is allowed to allocate. This helps prevent poorly written scripts for eating up all available memory on a server. It is recommended to set this as low as possible and avoid removing the limit.
max_execution_time90This sets the maximum amount of time, in seconds, that a script is allowed to run. The lower the value, the better for the server, but also, the better has the script to be written. Avoid really large values that are only useful for admin, and set them per directory.
expose_phpOffExposes to the world that PHP is installed on the server. For security reasons, it is better to keep this hidden.
display_errorsOffThis determines whether errors should be printed to the screen as part of the output or if they should be hidden from the user.
error_reportingE_ALLSet the error reporting level. Always set this high, so as to have the errors reported, and logged.
log_errorsOnAlways log errors for future use
error_logName of a writable file, suitable for logging.Name of the file where script errors should be logged.
Extra configurations Standard runtime configuration
Error Log
error_logOnBesides displaying errors, PHP can also log errors to locations such as a server-specific log, STDERR, or a location specified by the error_log directive
error_logphp_errors.logLog errors to specified file. PHP's default behavior is to leave this value empty
Environment
variables_orderEGPCSSets the order of the EGPCS (Environment, Get, Post, Cookie, and Server) variable parsing. If 'E' is omited, then $_ENV may be empty.
Disable features
disable_functionspassthru, system, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, show_source, symlink, pfsockopen, socket_create_listen, socket_create_pair, symlink, apache_child_terminate, apache_get_version, apache_getenv, apache_note, apache_setenv, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, leak, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuidThis directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. ; 12 sensitive functions were found in the code. Don't disable those : fsockopen, curl_exec, curl_multi_exec, shell_exec, popen, pclose, mail, exec, socket_connect, socket_create, apache_get_modules, dl
disable_classespharThis directive allows you to disable certain classes for security reasons. It takes on a comma-delimited list of class names. disable_classes is not affected by Safe Mode. This directive must be set in php.ini. ; 1 sensitive classes were found in the code. Don't disable those :
File Upload
upload_max_filesize2MThis is the maximum uploaded size. It is recommended to keep this value as low as possible.
max_file_uploads1This is the maximum number of uploaded files in a single request.
upload_tmp_dir/tmp/php_uploadUpload directory where PHP stores the temporary files. It is recommended to set this value, and separate it from other temporary directories.
post_max_size2MThis is the maximum amount of data that PHP will accept in a POST request. It has to be higher or equal to upload_max_filesize. For security reasons, it should be as low as possible, to prevent PHP using too much memory.