Suhosin
Suhosin is an open source security patch for PHP, and it can also be used as a PHP extension. It was created by the German company Sektion Eins. The patch and the extension are separate pieces, but they can be used together or on their own. Suhosin’s goal is to act as a safety net that protects servers from insecure PHP coding and to reduce PHP’s attack surface with features like function whitelists, resource limits, session and cookie protection, a binary content filter, logging, and other safeguards.
In practice, Suhosin helps reduce the risk of running PHP code that isn’t safe and defends against both known and some unknown attacks. Some of the patch’s low-level hardening ideas were later incorporated into PHP itself, but those hardenings aren’t part of the modules today.
Suhosin has appeared in various Linux distributions. Debian used to ship both the patch and the extension in older releases, Gentoo included it, and Mac OS X Server enabled it by default. Debian removed the patch in newer releases (7.x) but the extension continues in use in some setups. OpenSUSE stopped distributing the patch but kept the extension, and FreeBSD includes the extension in its ports collection.
Suhosin was first released in 2006 for PHP 5.2.0. The last patch release was 0.9.38 in 2015. After years with little official activity, some community contributions surfaced again around 2014. There is no plan to upstream Suhosin’s features into PHP itself.
In 2015, a project called suhosin7 aimed to bring similar hardening to PHP7, but it didn’t gain wide adoption. A newer project called Snuffleupagus is intended to be the successor for PHP7 and newer.
This page was last edited on 1 February 2026, at 23:32 (CET).