diff --git a/best_practices/configuration.rst b/best_practices/configuration.rst
index 63b987d45b4..e595f94bf82 100644
--- a/best_practices/configuration.rst
+++ b/best_practices/configuration.rst
@@ -42,6 +42,13 @@ they have nothing to do with the application's behavior. In other words, your
 application doesn't care about the location of your database or the credentials
 to access to it, as long as the database is correctly configured.
 
+.. caution::
+
+    Beware that dumping the contents of the ``$_SERVER`` and ``$_ENV`` variables
+    or outputting the ``phpinfo()`` contents will display the values of the
+    environment variables, exposing sensitive information such as the database
+    credentials.
+
 .. _best-practices-canonical-parameters:
 
 Canonical Parameters
diff --git a/configuration/external_parameters.rst b/configuration/external_parameters.rst
index ed993e6c9bf..375360985d3 100644
--- a/configuration/external_parameters.rst
+++ b/configuration/external_parameters.rst
@@ -123,6 +123,13 @@ the following:
 
         fastcgi_param DATABASE_URL "mysql://db_user:db_password@127.0.0.1:3306/db_name";
 
+.. caution::
+
+    Beware that dumping the contents of the ``$_SERVER`` and ``$_ENV`` variables
+    or outputting the ``phpinfo()`` contents will display the values of the
+    environment variables, exposing sensitive information such as the database
+    credentials.
+
 Constants
 ---------