PHP display_errors Is Enabled
Description
The PHP display_errors directive controls whether error messages are shown directly in the application's output. When enabled in production environments, this setting causes PHP to display detailed error and warning messages to end users, potentially exposing sensitive information about the application's file structure, database queries, configuration details, and internal logic.
Invicti detected that the display_errors directive is currently enabled on this server.
Remediation
Disable the display_errors directive and enable log_errors to ensure errors are logged securely instead of being displayed to users.
Option 1: Modify php.ini (recommended for server-wide configuration)
Locate your php.ini file and set the following directives:
display_errors = Off log_errors = On error_log = /var/log/php/error.log
Option 2: Use .htaccess (for Apache with mod_php)
Add the following directives to your
.htaccess file:php_flag display_errors Off php_flag log_errors On php_value error_log /var/log/php/error.log
Option 3: Configure at runtime (application-level)
Add this code at the beginning of your PHP scripts or bootstrap file:
ini_set('display_errors', '0');
ini_set('log_errors', '1');
ini_set('error_log', '/var/log/php/error.log');After making changes, restart your web server and verify the configuration using a test script. Ensure the error log directory exists and is writable by the web server process.