; disable exposure expose_php = Off ; disable dangerous functions (minimal safe set) disable_functions = exec,passthru,shell_exec,proc_open,popen,system,show_source,phpinfo ; logging display_errors = Off display_startup_errors = Off log_errors = On error_reporting = E_ALL ; file limits upload_max_filesize = 8M post_max_size = 8M max_execution_time = 30 max_input_time = 60 memory_limit = 256M ; force strict session settings session.use_strict_mode = 1 session.cookie_httponly = 1 session.cookie_secure = 1 session.use_only_cookies = 1 ; opcache opcache.enable = 1 opcache.enable_cli = 0 opcache.validate_timestamps = 0 opcache.memory_consumption = 128 opcache.interned_strings_buffer = 16 opcache.max_accelerated_files = 12000 opcache.save_comments = 1 opcache.jit = 0 ; timezone (override manually) date.timezone = UTC ; forbid URL file wrappers unless needed allow_url_fopen = Off allow_url_include = Off ; security hardening cgi.fix_pathinfo = 0 ; hard unbreakable srcurity session.cookie_samesite = Strict opcache.restrict_api = /usr/local/php/opcache