From 63dc479b332784202764b5985a9dec3fe22f5385 Mon Sep 17 00:00:00 2001
From: Gunnstein Lye <289744+glye@users.noreply.github.com>
Date: Wed, 3 Jul 2024 12:55:13 +0200
Subject: [PATCH 1/6] Improve PHP security recommendations

---
 .../security/security_checklist.md            | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md
index b60826c5df..0c8969cb00 100644
--- a/docs/infrastructure_and_maintenance/security/security_checklist.md
+++ b/docs/infrastructure_and_maintenance/security/security_checklist.md
@@ -57,6 +57,26 @@ Such arguments could include passwords or other sensitive information.
 You should also make sure no stack trace is ever visible to end users of production sites,
 though visible arguments are unsafe even if the stack traces only show up in log files.
 
+### Disable error output from PHP
+
+Symfony in production mode will prevent exception messages from being visible to end users.
+However, if Symfony fails to boot properly, such exceptions may end up being visible, including stack traces.
+This can be prevented by [disabling error message output in PHP](https://www.php.net/manual/en/language.errors.basics.php).
+These `php.ini` configuration values should be used on production sites.
+When using Ibexa Cloud / Platform.sh the same settings can be configured in Ibexa DXP's `.platform.app.yaml` file.
+
+    ```ini
+    display_errors          = Off
+    display_startup_errors  = Off
+    ```
+
+### Other PHP settings
+
+Consider what other security related settings are relevant for your needs.
+The [OWASP PHP Configuration Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html)
+contains some recommendations, but please beware it may be out of date as it doesn't mention PHP 8.
+See also [PHP's own security manual](https://www.php.net/manual/en/security.php).
+
 ## [[= product_name =]]
 
 ### Fully-vetted admin users

From 5ffcf1774f84190ac9a4a66239078e9bbe6f3f7e Mon Sep 17 00:00:00 2001
From: Gunnstein Lye <289744+glye@users.noreply.github.com>
Date: Wed, 3 Jul 2024 13:02:05 +0200
Subject: [PATCH 2/6] Vale suggestion fixup

---
 .../security/security_checklist.md                              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md
index 0c8969cb00..b8f2117b07 100644
--- a/docs/infrastructure_and_maintenance/security/security_checklist.md
+++ b/docs/infrastructure_and_maintenance/security/security_checklist.md
@@ -59,7 +59,7 @@ though visible arguments are unsafe even if the stack traces only show up in log
 
 ### Disable error output from PHP
 
-Symfony in production mode will prevent exception messages from being visible to end users.
+Symfony in production mode prevents exception messages from being visible to end users.
 However, if Symfony fails to boot properly, such exceptions may end up being visible, including stack traces.
 This can be prevented by [disabling error message output in PHP](https://www.php.net/manual/en/language.errors.basics.php).
 These `php.ini` configuration values should be used on production sites.

From d473403248c3e9d7d18d464ee07036698fd12f63 Mon Sep 17 00:00:00 2001
From: Gunnstein Lye <289744+glye@users.noreply.github.com>
Date: Wed, 3 Jul 2024 13:02:14 +0200
Subject: [PATCH 3/6] Vale suggestion fixup

---
 .../security/security_checklist.md                              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md
index b8f2117b07..8e6bb25880 100644
--- a/docs/infrastructure_and_maintenance/security/security_checklist.md
+++ b/docs/infrastructure_and_maintenance/security/security_checklist.md
@@ -63,7 +63,7 @@ Symfony in production mode prevents exception messages from being visible to end
 However, if Symfony fails to boot properly, such exceptions may end up being visible, including stack traces.
 This can be prevented by [disabling error message output in PHP](https://www.php.net/manual/en/language.errors.basics.php).
 These `php.ini` configuration values should be used on production sites.
-When using Ibexa Cloud / Platform.sh the same settings can be configured in Ibexa DXP's `.platform.app.yaml` file.
+When using '[[= product_name_cloud =]]' / Platform.sh the same settings can be configured in '[[= product_name_base =]]' DXP's `.platform.app.yaml` file.
 
     ```ini
     display_errors          = Off

From 905b9d4f6ad323ed85dc07f8968a533e94fc5468 Mon Sep 17 00:00:00 2001
From: Gunnstein Lye <289744+glye@users.noreply.github.com>
Date: Wed, 3 Jul 2024 16:11:49 +0200
Subject: [PATCH 4/6] Product name fixes

Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com>
---
 .../security/security_checklist.md                              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md
index 8e6bb25880..f5e821104d 100644
--- a/docs/infrastructure_and_maintenance/security/security_checklist.md
+++ b/docs/infrastructure_and_maintenance/security/security_checklist.md
@@ -63,7 +63,7 @@ Symfony in production mode prevents exception messages from being visible to end
 However, if Symfony fails to boot properly, such exceptions may end up being visible, including stack traces.
 This can be prevented by [disabling error message output in PHP](https://www.php.net/manual/en/language.errors.basics.php).
 These `php.ini` configuration values should be used on production sites.
-When using '[[= product_name_cloud =]]' / Platform.sh the same settings can be configured in '[[= product_name_base =]]' DXP's `.platform.app.yaml` file.
+When using [[= product_name_cloud =]], the same settings can be configured in [[= product_name =]]'s `.platform.app.yaml` file.
 
     ```ini
     display_errors          = Off

From 7df5894d5c48fbf54bd77325a7fd4abc8a1ccf1c Mon Sep 17 00:00:00 2001
From: Gunnstein Lye <289744+glye@users.noreply.github.com>
Date: Wed, 3 Jul 2024 16:13:27 +0200
Subject: [PATCH 5/6] Ini code

Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com>
---
 .../security/security_checklist.md                        | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md
index f5e821104d..c2ed592e6f 100644
--- a/docs/infrastructure_and_maintenance/security/security_checklist.md
+++ b/docs/infrastructure_and_maintenance/security/security_checklist.md
@@ -65,10 +65,10 @@ This can be prevented by [disabling error message output in PHP](https://www.php
 These `php.ini` configuration values should be used on production sites.
 When using [[= product_name_cloud =]], the same settings can be configured in [[= product_name =]]'s `.platform.app.yaml` file.
 
-    ```ini
-    display_errors          = Off
-    display_startup_errors  = Off
-    ```
+```ini
+display_errors          = Off
+display_startup_errors  = Off
+```
 
 ### Other PHP settings
 

From a453ffd49bb8829adad57d2503d65b92ded30fa9 Mon Sep 17 00:00:00 2001
From: Gunnstein Lye <289744+glye@users.noreply.github.com>
Date: Thu, 4 Jul 2024 14:12:38 +0200
Subject: [PATCH 6/6] Wording

Co-authored-by: julitafalcondusza <117284672+julitafalcondusza@users.noreply.github.com>
---
 .../security/security_checklist.md                              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md
index c2ed592e6f..29cfd34d29 100644
--- a/docs/infrastructure_and_maintenance/security/security_checklist.md
+++ b/docs/infrastructure_and_maintenance/security/security_checklist.md
@@ -74,7 +74,7 @@ display_startup_errors  = Off
 
 Consider what other security related settings are relevant for your needs.
 The [OWASP PHP Configuration Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html)
-contains some recommendations, but please beware it may be out of date as it doesn't mention PHP 8.
+contains several recommendations, but be aware that they may be out of date as they don't mention PHP 8.
 See also [PHP's own security manual](https://www.php.net/manual/en/security.php).
 
 ## [[= product_name =]]