Prisma PHP Package: Warnings ⚠️
Use this checklist to keep your app safe and stable in production. These guardrails prevent sensitive data leaks, avoid noisy failures, and reduce attack surface.
SHOW_ERRORS
Never enable SHOW_ERRORS in production.
Verbose errors can leak secrets (paths, tokens, queries) to end users.
Recommended baseline:
Development
# .env (dev)
APP_ENV="development"
SHOW_ERRORS="true"Production
# .env (prod)
APP_ENV="production"
SHOW_ERRORS="false"Note: In development, checkForDuplicateRoutes analyzes and throws on duplicate routes (especially within groups). In production, this analysis is skipped for stability/perf. Fix any duplicates during development.
Quick Audit (Dev vs Prod)
| Setting | Dev | Prod | Why |
|---|---|---|---|
| APP_ENV | development |
production |
Enables prod code paths, disables dev-only checks. |
| SHOW_ERRORS | true |
false |
Prevents leaking stack traces / secrets. |
| CORS_ALLOWED_ORIGINS | * or broad |
explicit list |
Only trusted front-ends should call your APIs. |
| MCP_JSON_RESPONSE | true (ok) |
false |
Avoid exposing raw request/response frames. |
| AUTH_SECRET | any value | strong, rotated |
Protects JWT/sessions; rotate on leaks. |
CORS: Allow Only What You Use
Set origins as CSV or JSON array. Use [] to block all cross-origin (same-origin only).
# Safe examples
CORS_ALLOWED_ORIGINS="https://app.example.com,https://admin.example.com"
# or
CORS_ALLOWED_ORIGINS=["https://app.example.com","https://admin.example.com"]
# Block all (default same-origin)
CORS_ALLOWED_ORIGINS=[]
# If sending cookies/Authorization across origins:
CORS_ALLOW_CREDENTIALS="true"Reminder: When CORS_ALLOW_CREDENTIALS="true", you must specify origins explicitly (no *).
MCP Exposure
Your MCP server is powerful. Treat it like an internal API. In production:
- Disable
MCP_JSON_RESPONSE(set tofalse). - Put MCP behind a reverse proxy with auth (API key/JWT or IP allow-list).
- Restrict tools to least-privilege; validate all inputs with
#[Schema].
Dev (OK to inspect)
MCP_JSON_RESPONSE="true"Prod (Hardened)
MCP_JSON_RESPONSE="false"
Debugging: Use the MCP Inspector in development for live request/response testing:
npx @modelcontextprotocol/inspector http://127.0.0.1:4000/mcp.
Sensitive Files & PHP Defaults
- Block direct access to
.env,composer.json, VCS dirs, etc. (handled in your .htaccess rules). - Prefer logging errors over displaying them to users. Configure your server to capture PHP logs.
Optional: php.ini hardening (example)
; php.ini (prod-friendly)
display_errors = Off
log_errors = On
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
expose_php = Off
session.cookie_httponly = 1
session.cookie_secure = 1
session.use_strict_mode = 1Common Pitfalls
| Pitfall | Symptom | Fix |
|---|---|---|
| SHOW_ERRORS left on in prod | Users see stack traces / paths | Set SHOW_ERRORS="false", enable server-side logging |
| Wild-card CORS with credentials | Browser blocks / security risk | Use explicit origins and keep CORS_ALLOW_CREDENTIALS="true" only if needed |
| MCP JSON responses enabled | Tool payloads visible publicly | Disable in prod; protect behind auth/proxy |
| Duplicate routes in grouped routes | Unpredictable handler resolution | Fix in dev; rely on checkForDuplicateRoutes warnings |
Conclusion
Lock down errors, origins, and debug surfaces before going live. With these guardrails—and your usual code reviews and tests—Prisma PHP runs safely and predictably in production.