—

Why it Matters

Xdebug is a powerful PHP debugging and profiling tool, but it should never be enabled on production servers. It slows down execution significantly and can expose sensitive information such as stack traces and local file paths. If misconfigured, Xdebug may even open a remote debugging port, allowing attackers to interact with the application.

Removing Xdebug from production keeps the store fast, reduces attack surface, and ensures sensitive internals are not accidentally leaked.

Verification Steps

# List active PHP modules
php -m | grep xdebug

# Expected: (no output) on production servers

# Run php -i and search for xdebug settings
php -i | grep -i xdebug

# Expected: no entries in production

Remediation / Fix Guidance

1. Remove Xdebug package from production:

   sudo phpdismod xdebug
   sudo apt-get remove php-xdebug

2. If needed for developers, install only on local or staging environments.
3. Update CI/CD pipelines to exclude Xdebug in production images or containers.

Examples

$ php -m | grep xdebug
xdebug
# Xdebug active in production → FAIL

$ php -m | grep xdebug
# (no output)
# Xdebug not present in production → PASS

References

• OWASP Top 10 — A05: Security Misconfiguration
• Xdebug Documentation