Securing Apache, Tip#2: PHP display_errors

On the same topic as in Tip#1, you have to make sure you do not potentially leak information about your site when your PHP web application displays errors.

Simply setting:

display_errors = Off

in your php.ini of your production server will prevent you from leaking information that may give intruders hints to the structure of your system.

This directive controls whether or not and where PHP will output errors,
notices and warnings too. Error output is very useful during development, but
it could be very dangerous in production environments. Depending on the code
which is triggering the error, sensitive information could potentially leak
out of your application such as database usernames and passwords or worse.
It’s recommended that errors be logged on production servers rather than
having the errors sent to STDOUT.

See other tips:

Securing Apache, Tip #1: Minimize banner information



2 thoughts on “Securing Apache, Tip#2: PHP display_errors

  1. Pingback: Securing Apache, Tip #1: Minimize banner information | In just five minutes…

  2. Pingback: Securing Apache, Tip#3: Restrict file extensions | In just five minutes…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s