Production mode
Continuing on the theme of security, another idea: having php.ini switch production=On. What it would so is:
- display_errors automatically disabled - or filenames, etc. are removed from error messages
- phpinfo() doesn’t work - this is protection for people leaving debug pages for Google to grab and for automated exploit scritpts to visit then. Maybe too harsh - alternatively - doesn’t work if requestor is not localhost? This might be a problem with insecure URL fopen though.
- expose_php off or stripped to not give out full version
- max_execution_time and memory_limit ensured to not be unlimited
- other things people constantly forget to configure correctly?
