PCC: The Single-File Security Audit That Fits in Your Back Pocket
Hook
The most effective security audit tool you’ll ever use doesn’t need Composer, doesn’t use classes, and deliberately stops working after 48 hours. This isn’t a bug—it’s a feature.
Context
Every PHP deployment carries invisible risk. Your application code might be pristine, passing security audits with flying colors, but if security-critical php.ini settings aren’t properly configured, attackers may have paths into your system through the runtime itself. The gap between development and production PHP configurations is where vulnerabilities hide—developers run loose settings locally, sysadmins harden production, and no one actually validates what’s running until a breach happens.
Traditional approaches to PHP configuration auditing involve either manual checklist reviews (tedious, error-prone) or heavyweight security scanners that analyze application code but may overlook runtime settings. What’s been missing is a lightweight, transparent tool you can drop onto any server—legacy or modern, shared hosting or containerized—get immediate feedback on PHP’s security posture, and remove before it becomes an attack surface itself. That’s the design philosophy behind PCC (PHP Secure Configuration Checker) from SektionEins, a German security consultancy that decided automating php.ini checks was more valuable than doing them manually repeatedly.
Technical Insight
PCC’s architecture is radically simple: one PHP file containing what the README describes as simple procedural tests that check security-related ini entries via functions like ini_get(), evaluate the results, and output findings in text, HTML, or JSON. The README explicitly states the tool avoids ‘complicated/overengineered code, e.g. no classes/interfaces, test-frameworks, libraries’ to ensure it’s ‘obvious on first glance - even for novices - how this tool works and what it does.’
The core execution model works identically in CLI and web contexts. Run php phpconfigcheck.php from the command line and you get plain text output by default (with -h for HTML or -j for JSON). Access it via HTTP and you get HTML formatted results. The tool appears to detect the execution environment and adjusts output accordingly, with environment variables like PCC_OUTPUT_TYPE providing format control.
Format flexibility is built in: JSON output (-j flag or format=json parameter) provides structured data suitable for automation and monitoring systems. Text mode works for terminal sessions. HTML mode provides visual output for sharing results. The README notes that in web mode, you can override the default format using the format URL parameter (e.g., phpconfigcheck.php?format=text), with this parameter taking precedence over environment variables.
The web mode safeguards are particularly notable. PCC implements two defensive mechanisms assuming that exposing your PHP configuration to the internet is risky. First, the mtime check: the script examines its own file modification time and refuses to run in non-CLI mode after two days have passed. You must physically touch phpconfigcheck.php to re-arm it, forcing conscious re-authorization rather than leaving a security disclosure endpoint permanently exposed. This can be disabled by setting PCC_DISABLE_MTIME=1. Second, the IP whitelist defaults to localhost only (127.0.0.1 and ::1). To run it remotely, you must explicitly set PCC_ALLOW_IP to your IP address or a wildcard pattern like 10.0.0.* via environment variable.
The output control in web mode shows thoughtful design: security tools often overwhelm users with information, so PCC hides ‘skipped, ok and unknown/untested’ results by default, showing only problems. Adding ?showall=1 to the URL reveals the complete picture. This doesn’t apply to JSON output, which returns all results by default.
Compatibility is maintained with PHP >= 8.1 while keeping the code simple by avoiding complicated constructs and dependencies, as stated in the README’s design goals.
Gotcha
The single biggest limitation is PCC’s dependence on the very functions it’s designed to audit. The README’s troubleshooting section explicitly warns that ‘This script needs a few functions to work properly, such as ini_get() and stat(). If one of these functions is blacklisted (or not whitelisted) then execution will fail or produce invalid output.’ If your PHP environment is hardened to the point where these functions are disabled via disable_functions or Suhosin’s configuration, PCC simply cannot run. The README suggests temporarily putting Suhosin in simulation mode and omitting disable_functions, or running with a separate ini file via php -n -c /etc/.../php.ini phpconfigcheck.php. This creates a chicken-and-egg problem: you can’t audit extremely locked-down environments without temporarily unlocking them.
The 2-day mtime expiry, while security-conscious, can complicate automation. If you want to run PCC as part of scheduled compliance checks or server configuration validation, you must either disable the safeguard with PCC_DISABLE_MTIME=1 (removing the protection) or build processes that touch the file before each run (adding complexity). There’s no built-in accommodation for automated scheduled use with safeguards intact.
The README includes an important warning: ‘This tool will only support you setting up a secure PHP environment. Nothing else. Your setup, software or any related configuration may still be vulnerable, even if this tool’s output suggests otherwise.’ PCC reads static ini settings—it can identify configuration weaknesses, but it can’t determine if your application code has vulnerabilities or if your web server is misconfigured in other ways. It’s a configuration checker, not a comprehensive vulnerability scanner, and conflating the two leads to false confidence.
Verdict
Use PCC if you’re a security consultant auditing client servers, a sysadmin validating production hardening, or a developer who needs to quickly verify PHP configuration against security baselines. The single-file design makes it perfect for one-off assessments on shared hosting, legacy systems, or environments where installing tools via package managers is difficult or impossible. Its deliberately simple, transparent code makes it ideal when you need to show stakeholders what’s wrong with their PHP setup—the HTML output provides immediate visual feedback. Skip it if you need continuous automated monitoring without disabling safety features, if you’re working in environments so locked down that core functions like ini_get() are disabled, or if you’re looking for comprehensive application security testing rather than configuration validation. For those cases, you’ll need different tooling approaches. PCC does exactly one thing—auditing PHP runtime configuration—and its value proposition is simplicity, transparency, and portability, not comprehensive security coverage.
