Consortium News
Promotional Links
Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information


Test Description

This test checks to see if display_errors is enabled.

Security Implications

The display_errors directive determines whether error messages should be sent to the browser. These messages frequently contain sensitive information about your web application environment, and should never be presented to untrusted sources.

display_errors is on by default.


Unless you are in a closed development state, display_errors should be disabled, and all error messages should be passed to system log files using the log_errors directive.

You can disable display_errors in the php.ini file:

; Disable display_errors for security reasons
display_errors = 'off'
log_errors = 'on'

The setting can also be disabled in apache's httpd.conf file, or an .htaccess file:

# Disable display_errors for security reasons
php_flag  display_errors  off
php_flag  log_errors  on

More Information

« Test information index

Get PhpSecInfo