Security hardening: disable expose_php, raise max_input_time, remove Indexes

[lucifer4330k]

Security hardening for server defaults.

Findings

• php.ini has expose_php = On. Best practice is Off.
• php.ini has max_input_time = 60, which can abort large multipart/form-data uploads while PHP is still reading POST data. After raising upload limits to 5G, this should be increased.
• Apache site config docker/config/api.conf sets Options Indexes for the document root, enabling directory listings (not needed for API).

Proposed changes

• Set expose_php = Off in docker/config/php.ini.
• Set max_input_time = 3600 (or -1) in docker/config/php.ini.
• Change <Directory /var/www/openml> Options to remove Indexes.

Acceptance criteria

• No directory listing anywhere under DocumentRoot.
• expose_php disabled.
• Large uploads do not time out during PHP input parsing.

[agarwalavantika]

Hi @lucifer4330k I'd love to work on this issue. Can you assign me?

[Aymuos22]

Hi @lucifer4330k

I've updated OpenML/docker/config/php.ini to harden the PHP runtime: turned off expose_php so responses no longer include the PHP signature, and raised max_input_time to 3600 seconds to keep multi‑GB multipart uploads from failing mid‑stream. Adjusted OpenML/docker/config/api.conf so the document root uses Options -Indexes ..., preventing Apache from serving directory listings for the API.

Kindly check my latest PR:#1276