# PHP Ini Analyzer
|Category||Severity||Time To Fix|
|🛡️ Security||Major||5 minutes|
This analyzer checks whether your PHP configuration is secure.
# Recommended PHP Settings
allow_url_fopen: Should be disabled. Disabling this minimizes the risk of escalating LFIs (opens new window) to RFIs (opens new window) and reduces the risk of remote code execution, information disclosure and cross-site scripting (XSS).
allow_url_include: Should be disabled. This has an effect similar to
expose_php: Should be disabled. If this configuration is on, an attacker may see the version of PHP running on the application server.
display_errors: Should be disabled to avoid exposing detailed application error messages which may include sensitive information.
display_startup_errors: Should be disabled to avoid exposing errors that occur during PHP's startup sequence.
log_errors: Should be enabled to log error messages to the server's error log file.
ignore_repeated_errors: Should be disabled.
If any of the above settings differ from the recommendations, this analyzer would result in a failure.
While changing the above settings, make sure you make the relevant changes to the
php.ini file for both the FPM and CLI.