Project security

To prevent potential security risks, PhpStorm lets you decide how to work with a project if you're not sure about its source. PhpStorm warns you about tasks or configurations that will be executed and lets you configure sources that you can trust.

Projects security in PhpStorm

PHP projects that you open from unknown sources may contain malicious code. In addition, certain PhpStorm features might also lead to malicious code execution. The following features are not available for untrusted projects:

Executing Composer commands.
Refreshing the versions of the configured PHP command-line tools.
Refreshing the versions of the configured PHP test frameworks.
Working with the configured PHP code quality tools.

Open a project for the first time

When you try to open a PHP project from an unknown source for the first time, PhpStorm displays a warning and lets you decide how to proceed.

You can select one of the following actions:

Preview in Safe Mode: in this case, PhpStorm opens a project in a "preview mode" meaning you can browse the project's sources, but it might be unsafe to execute any tasks or run your project.
PhpStorm displays a notification on top of the editor area, and you can click the Trust project link and load your project at any time.
Trust Project: in this case, PhpStorm opens and loads a project normally.
Don't Open: in this case, PhpStorm cancels the action.

Open an existing project

If a project you are planning to open was created on a different machine and contains the .idea directory, PhpStorm opens it in the IDE automatically as if you chose the Preview in Safe Mode action.

PhpStorm also displays an editor notification stating that the project is untrusted.

In-editor notification for an untrusted project

If you trust the source, click Trust project and load it.

You can also add the source to the trusted locations, so the next time you open your project, PhpStorm will trust it implicitly.

Startup tasks

When you open a project created on a different machine, it might contain some scripts or tasks that are executed during the opening process. If such tasks are found, PhpStorm displays a notification suggesting that the code you are about to execute might be harmful.

You can review what tasks will be executed and modify the settings.

Review the startup tasks

In the Settings/Preferences dialog Ctrl+Alt+S, go to Tools | Startup Tasks.
On the Startup Tasks settings page, you can review and modify the startup tasks.

Trusted locations

You can configure what sources PhpStorm should consider safe and load such projects automatically during the opening process.

Configure trusted locations

In the Settings/Preferences dialog Ctrl+Alt+S, go to Build, Execution, Deployment | Trusted Locations.
On the Trusted Locations settings page, configure the local directories where the projects you consider trusted reside. Click OK to save the changes.
The next time you open a project from one of those locations, PhpStorm will implicitly trust it.

Last modified: 21 December 2021