PHP errors enabled
Description
The PHP display_errors directive controls whether error messages are shown directly in the application's output. When enabled in production environments, this configuration causes detailed error messages, warnings, and notices to be displayed to end users.
Invicti IAST detected that the display_errors directive is currently enabled on this PHP application, which may expose sensitive technical information to potential attackers.
Remediation
Disable the display_errors directive and enable error logging instead to ensure errors are recorded securely without exposing them to users.
Option 1: Modify php.ini (recommended for server-wide configuration)
Locate your php.ini file and set the following directives:
display_errors = Off log_errors = On error_log = /var/log/php/error.log
Option 2: Use .htaccess (for Apache with mod_php)
Add the following directives to your
.htaccess file:php_flag display_errors Off php_flag log_errors On php_value error_log /var/log/php/error.log
Option 3: Runtime configuration (application-level)
Add this code at the beginning of your PHP application:
ini_set('display_errors', '0');
ini_set('log_errors', '1');
ini_set('error_log', '/var/log/php/error.log');After making changes, restart your web server and verify the configuration using
phpinfo() or by checking that errors are no longer displayed to users. Ensure the error log directory has appropriate write permissions and is not publicly accessible.