Why do Stripe API requests contain extended server information?

[andreaskienast]

Describe the bug

As the title suggest, I discovered that the PHP Stripe SDK sends extended server information to Stripe whilst undocumented, which I consider an issue.

The method ApiRequestor::_defaultHeaders() compiles a default set of headers that contain at least the used PHP version and the used kernel version (thru php_uname()) on the server.

I understand that sending the PHP version might be of use for statistical purposes, while I would've expected to be able to disable this via disabling telemetry (Stripe::setEnableTelemetry(false)). However, there should never exist the need to send operating system information, especially when we're dealing with a script language like PHP.

Disabling php_uname via disable_functions is not a valid solution as the same server might run software with legitimate uses for this.

Please consider to not obtain this information when I explicitly do not give my consent for collecting telemetry.

To Reproduce

Send and intercept the request and inspect the headers.

Expected behavior

When I disable telemetry, PHP version and kernel information should not be sent in any regards.

Code snippets

OS

any

PHP version

any

Library version

stripe-php v19.3.0

API version

2026-01-28.clover

Additional context

No response

[kevinpapst]

Wasn't even aware of Stripe::setEnableTelemetry(false) which should be the default, thanks for sharing @andreaskienast

Other option is to allow us to change the ApiRequestor implementation.

[xavdid-stripe]

Hi @andreaskienast, thanks for flagging! We're discussing internally what we do and don't want to collect and will make some updates on this soon.