Verbose errors or stack traces enabled in config
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
Config exposes full errors to clients (display_errors On, include-stacktrace=always, propagate_exceptions true). Stack traces reveal file paths, library versions, and query fragments that help an attacker map the app.
Why it matters
Sending full errors and stack traces to clients leaks file paths, framework and library versions, and fragments of queries or config, which helps an attacker map your app and target the next flaw. Settings like display_errors On or include-stacktrace=always are meant for local debugging, not production.
How to fix it
Turn detailed error output off in production config and return a generic error page to clients while logging the full detail server-side. Drive the setting from an environment variable so development can keep verbose errors. Confirm a triggered error shows no internal detail to the client.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo