Configuration reference
This page is a lookup reference for the config keys used by WebEngine. For the conceptual overview of how config is loaded and used, see Configuration.
Reference structure
The easiest way to document WebEngine config is by section. Each section groups related keys, and each key should be understood in terms of:
- what it controls
- its default value
- when you might want to override it
Main sections
The main sections are:
approuterviewloggersessiondatabasesecurity
For the underlying config package, see https://www.php.gt/docs/Config/Home/.
Config section: app
namespace- defaultApp- the namespace prefix to use when loading classes within your project. This might be your company’s name, for example.production- defaultfalse- set to true when deployed to a production server.class_dir- defaultclass- the directory name to use as the PSR-4 root for your application classes.service_loader- defaultServiceLoader- the class name of your application’s service loader, for extending the service container.slow_deltadefault0.25- the number of seconds a request takes to trigger a “slow” notice.very_slow_delta- default0.50- the number of seconds a request takes to trigger a “very slow” warning.render_buffer_size- default1024- number of bytes to flush in chunks to the browser.
See protected globals.
globals_whitelist_env- default unset - which$_ENVvariables to leave available globally.globals_whitelist_server- default unset - which$_SERVERvariables to leave available globally.globals_whitelist_getdefaultxdebug- which$_GETvariables to leave available globally.globals_whitelist_post- default unset - which$_POSTvariables to leave available globally.globals_whitelist_files- default unset - which$_FILESvariables to leave available globally.globals_whitelist_cookies- default unset - which$_COOKIEvariables to leave available globally.force_trailing_slashdefaulttrue- true to end requests with a slash, false to end requests without a slash, e.g.www.example.com/test/vswww.example.com/test.
See Errors and logging#Custom error pages.
error_page_dir- defaultpage/_error- the directory name to use to contain error pages.
Config section: router
See Routing reference.
router_file- defaultrouter.php- the application router file to load before falling back to the framework router.router_class- defaultAppRouter- the router class name expected withinrouter_file.redirect_response_code- default307- the HTTP status code used for framework-generated redirects such as trailing-slash normalisation.default_content_type- defaulttext/html- the content type used when the router does not set one explicitly.
Config section: view
component_directory- defaultpage/_component- the directory containing custom HTML components.partial_directory- defaultpage/_partial- the directory containing page partials.
Config section: logger
log_all_requests- defaulttrue- log standard requests at the configured logger level.log_static_requests- defaultfalse- include requests for static files in the request log.log_404_to_error_log- defaultfalse- when true, 404 responses are additionally written to the error log.log_redirects- defaultfalse- include redirect responses in the log output.debug_to_javascript- defaulttrue- when buffering debug output, expose it to the browser-side JavaScript debug stream.stderr_level- defaultERROR- the minimum log level routed tostderrwhen using split stdout/stderr logging.type- defaultstdout- the logger output target. The default writes to standard output.level- defaultdebug- the minimum log level for the main logger output.path- default empty - the file path to log to when using a file-based logger target.timestamp_format- defaultY-m-d H:i:s- PHP date format used when rendering log timestamps.log_format- default{TIMESTAMP}\t{USER}\t{LEVEL}\t{MESSAGE}\t{CONTEXT}- the template used to format each log line.separator- default\t- the separator token used by the logger formatter.newline- default\n- the line ending appended to each log entry.
Config section: session
See sessions.
handler- defaultGt\Session\FileHandler- the session handler class to use.path- defaultphpgt/session- storage path passed to the session handler.name- defaultGT- the session name sent in the cookie or URL-based session identifier.use_cookies- defaulttrue- when true, PHP session IDs are stored in cookies.
Config section: database
See databases.
driver- defaultsqlite- the database driver name.host- defaultlocalhost- the database host name, mainly relevant for networked database drivers.schema- default:memory:- the schema or database name. For SQLite, the default is an in-memory database.port- default0- the database port. A zero value leaves port selection to the driver defaults.username- defaultapp_user- the database username.password- defaultapp_pass- the database password.query_directory- defaultquery- the directory containing SQL query files.migration_path- default_migration- the directory containing migration files.migration_table- default_migration- the table name used to track applied migrations.query_path- defaultquery- the path used when resolving query files.
Config section: security
See security.
default_headers- default unset - optional semicolon-separated security headers to append to responses.csrf_header- defaultX-CSRF- the header name used to transmit CSRF tokens for refreshing client-side.csrf_ignore_path- default empty - a comma-separated list of request paths or path patterns excluded from CSRF checks.csrf_max_tokens- default100- the maximum number of CSRF tokens retained before older ones are discarded.csrf_token_length- default32- the generated CSRF token length in bytes.csrf_token_sharing- defaultper-page- whether tokens are generated once per-page or once per-form.
Practical notes
Some keys mainly affect development, such as debug or logging behaviour. Others are only required for production, such as database credentials, session settings, and security-related values.
When in doubt, keep project-level defaults small and override only what the environment genuinely needs to change.
[!IMPORTANT] Never store your secret credentials such as API keys or database passwords in version control. Your project’s
config.inishould only have development-related credentials or empty values stored - secret values should only ever be stored withinconfig.production.ini, placed their manually or via your project’s deployment process.
Move on to the routing reference page.