Default PHP settings expose version information, allow dangerous functions, and leave logging disabled. This guide hardens PHP 8.3 on Ubuntu 24.04 LTS to protect production web applications.

Tested and valid on:

  • Ubuntu 24.04 LTS

Prerequisites

  • Ubuntu 24.04 LTS server with PHP 8.3 installed
  • A user with sudo privileges

Step 1 – Disable Version Exposure

Open the PHP-FPM php.ini:

sudo nano /etc/php/8.3/fpm/php.ini

Disable the PHP version header:

expose_php = Off

Step 2 – Disable Dangerous Functions

Restrict dangerous PHP functions:

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Step 3 – Limit File Access

Restrict PHP to specific directories:

open_basedir = /var/www:/tmp:/usr/share/php

Step 4 – Disable Remote File Inclusion

Prevent remote file includes:

allow_url_fopen = Off
allow_url_include = Off

Step 5 – Enable Logging

Log PHP errors to a file (not to the browser in production):

display_errors = Off
log_errors = On
error_log = /var/log/php8.3-fpm-errors.log
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

Step 6 – Limit Upload and POST Sizes

Set sensible limits:

upload_max_filesize = 10M
post_max_size = 12M
max_input_vars = 1000

Step 7 – Set Session Security

Harden PHP session handling:

session.cookie_httponly = 1
session.cookie_secure = 1
session.use_strict_mode = 1
session.cookie_samesite = Strict

Step 8 – Restart PHP-FPM and Test

Apply all changes:

sudo systemctl restart php8.3-fpm

Test that your application still works correctly after applying restrictions.

Conclusion

PHP 8.3 on Ubuntu 24.04 LTS is now hardened against common attack vectors. Regularly review php.ini settings as your application requirements evolve and always test after changes.