—

Why it Matters

If PHP or Magento is configured to display errors in the browser, stack traces, file paths, and configuration details may be exposed to visitors. Attackers can use this information to map the environment, discover modules, and target known vulnerabilities.

On production, errors should be logged but never shown to customers. This prevents information leakage while still giving administrators access to error details through secure logs.

Verification Steps

# Check current PHP configuration
php -i | grep display_errors
# Expected: display_errors = Off

# Inspect env.php for error settings
grep -i display_errors app/etc/env.php
# Should not be enabled

Remediation / Fix Guidance

1. Set display_errors = Off in php.ini or PHP-FPM pool configuration:

   display_errors = Off
   log_errors = On

2. Ensure Magento is in production mode (MB-R031) which suppresses verbose error output.
3. Use log files (var/log/) or external monitoring for debugging instead of showing errors to users.

Examples

# php.ini
display_errors = On
# Visitors may see stack traces and file paths

# php.ini
display_errors = Off
log_errors = On
# Errors are logged but not shown to visitors

References

• OWASP Top 10 — A05: Security Misconfiguration
• PHP Manual — Error handling configuration