Default datadog.appsec.enabled changed to on

[edsrzf]

Description

After release 0.7.0, datadog.appsec.enabled seems to default to On instead of off. I don't intend to use this extension and this change in defaults has caused problems for me when tracing is disabled. (See #241)

Explanation

The default for datadog.appsec.enabled depends on datadog.remote_config_enabled, which defaults to On. (See code here.) This means that datadog.appsec.enabled is now effectively on by default, as far as I can tell.

I believe this changed in https://github.com/DataDog/dd-appsec-php/pull/180, which was released with 0.7.0.

Installation

I don't intend to be using appsec. I install ddtrace using the recommended setup script:

curl -LO https://github.com/DataDog/dd-trace-php/releases/latest/download/datadog-setup.php
php datadog-setup.php --php-bin=all

I do not pass --enable-appsec, so I expect appsec to be disabled, since the docs state:

When you do not specify --enable-appsec, the AppSec extension loads shortly at startup, and is not enabled by default. It immediately short-circuits, causing negligible performance overhead.

[marcus-crane]

Related issue it seems: https://github.com/DataDog/dd-trace-php/issues/2014