From 238d3244b28ac0d63b49f680efc7a9da251de555 Mon Sep 17 00:00:00 2001 From: Elijah Duffy Date: Mon, 8 Dec 2025 20:53:54 -0800 Subject: [PATCH] php-fpm: warn to logs when debug is enabled --- README.md | 2 +- shared/php-fpm/force-debug.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 94b7130..3571e99 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ The CI workflow is configured to build with the repository root as the Docker bu - PHP-FPM streams master/worker logs plus PHP fatals to stderr, so `docker compose logs php-fpm` (or your platform equivalent) will always contain the messages you need for incident response. - The auto-prepend bootstrap additionally installs shutdown/exception hooks that write uncaught throwables and fatal errors to stderr even if WordPress or a plugin tampers with `ini_set()`. - - When you need full stack traces in the browser, set `FORCE_DEBUG_ERRORS=1` on the `php-fpm` service. The bootstrap enables verbose output and logs a single notice so you remember to remove it later. + - When you need full stack traces in the browser, set `FORCE_DEBUG_ERRORS=1` on the `php-fpm` service. The bootstrap enables verbose output and emits a warning in the container logs reminding you to turn it back off (leaving it on in production leaks stack traces to clients). - Remove or unset `FORCE_DEBUG_ERRORS` after troubleshooting so production responses stay clean. ## Local Testing & Development diff --git a/shared/php-fpm/force-debug.php b/shared/php-fpm/force-debug.php index 973e715..d3024fa 100644 --- a/shared/php-fpm/force-debug.php +++ b/shared/php-fpm/force-debug.php @@ -76,5 +76,5 @@ if ($forceDebugEnabled) { error_reporting(E_ALL); ini_set('display_errors', '1'); ini_set('display_startup_errors', '1'); - $forceDebugLog('[force-debug] Verbose error reporting enabled via FORCE_DEBUG_ERRORS'); + $forceDebugLog('[force-debug] FORCE_DEBUG_ERRORS is enabled — stack traces will be sent to clients. Disable this in production.'); }