PHP hardening (by damian)

php.ini

# dont expose php installation
expose_php = Off

# php safe mode
safe_mode = On
safe_mode_gid = On
log_errors = On
error_log = /path/to/php_error.log
ignore_repeated_errors = Off

# restrict inlcudes in safe mode
safe_mode_include_dir = /path/to/dir
safe_mode_exec_dir = /path/to/exec/dir

# restrict includes
open_basedir = /path/to/web/root

# diable error messages
display_errors = Off
display_startup_errors  = Off

# disable functions
disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo

# disable WebDAV methods
allow_webdav_methods = Off

# disable globals
register_globals = Off

# disable remote file includes
allow_url_fopen = Off
allow_url_include = Off

# restrict file uploads
file_uploads = Off
upload_tmp_dir = /var/php_tmp
upload_max_filezize = 2M

# protect sessions
session.save_path = /var/lib/php
session.cookie_httponly = 1
session.referer_check = your_url.tld
session.name = SSID
session.hash_function = 1