Securing Apache, Tip#2: PHP display_errors

On the same topic as in Tip#1, you have to make sure you do not potentially leak information about your site when your PHP web application displays errors.

Simply setting:

display_errors = Off

in your php.ini of your production server will prevent you from leaking information that may give intruders hints to the structure of your system.

This directive controls whether or not and where PHP will output errors,
notices and warnings too. Error output is very useful during development, but
it could be very dangerous in production environments. Depending on the code
which is triggering the error, sensitive information could potentially leak
out of your application such as database usernames and passwords or worse.
It’s recommended that errors be logged on production servers rather than
having the errors sent to STDOUT.

See other tips:

Securing Apache, Tip #1: Minimize banner information

 

Advertisements

2 thoughts on “Securing Apache, Tip#2: PHP display_errors

  1. Pingback: Securing Apache, Tip #1: Minimize banner information | In just five minutes…

  2. Pingback: Securing Apache, Tip#3: Restrict file extensions | In just five minutes…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s