array ( 0 => 'index.php', 1 => 'PHP Manual', ), 'head' => array ( 0 => 'UTF-8', 1 => 'en', ), 'this' => array ( 0 => 'security.cgi-bin.default.php', 1 => 'Case 1: only public files served', 2 => 'Case 1: only public files served', ), 'up' => array ( 0 => 'security.cgi-bin.php', 1 => 'Installed as CGI binary', ), 'prev' => array ( 0 => 'security.cgi-bin.attacks.php', 1 => 'Possible attacks', ), 'next' => array ( 0 => 'security.cgi-bin.force-redirect.php', 1 => 'Case 2: using cgi.force_redirect', ), 'alternatives' => array ( ), 'source' => array ( 'lang' => 'en', 'path' => 'security/cgi-bin.xml', ), 'history' => array ( ), ); $setup["toc"] = $TOC; $setup["toc_deprecated"] = $TOC_DEPRECATED; $setup["parents"] = $PARENTS; manual_setup($setup); contributors($setup); ?>

Case 1: only public files served

If your server does not have any content that is not restricted by password or IP based access control, there is no need for these configuration options. If your web server does not allow you to do redirects, or the server does not have a way to communicate to the PHP binary that the request is a safely redirected request, you can enable the cgi.force_redirect ini directive. You still have to make sure your PHP scripts do not rely on one or another way of calling the script, neither by directly http://my.host/cgi-bin/php/dir/script.php nor by redirection http://my.host/dir/script.php.

Redirection can be configured in Apache by using AddHandler and Action directives (see below).