diff --git a/disallowed-dangerous-calls.neon b/disallowed-dangerous-calls.neon
index 12c7e34..4f53d0f 100644
--- a/disallowed-dangerous-calls.neon
+++ b/disallowed-dangerous-calls.neon
@@ -58,3 +58,7 @@ parameters:
 			message: 'use some logger instead'
 			allowParamsAnywhere:
 				2: true
+		-
+			function: 'phpinfo()'
+			message: 'might reveal session id or other tokens in cookies'
+			errorTip: 'see https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it and use e.g. spaze/phpinfo instead'
diff --git a/tests/Configs/DangerousConfigFunctionCallsTest.php b/tests/Configs/DangerousConfigFunctionCallsTest.php
index 2c0cf0a..86773e3 100644
--- a/tests/Configs/DangerousConfigFunctionCallsTest.php
+++ b/tests/Configs/DangerousConfigFunctionCallsTest.php
@@ -40,6 +40,7 @@ public function testRule(): void
 			['Calling var_dump() is forbidden, use some logger instead.', 22],
 			['Calling var_export() is forbidden, use some logger instead.', 23],
 			['Calling var_export() is forbidden, use some logger instead.', 25],
+			['Calling phpinfo() is forbidden, might reveal session id or other tokens in cookies.', 26, 'see https://www.michalspacek.com/stealing-session-ids-with-phpinfo-and-how-to-stop-it and use e.g. spaze/phpinfo instead'],
 		]);
 	}
 
diff --git a/tests/src/configs/dangerousCalls.php b/tests/src/configs/dangerousCalls.php
index 771508e..7167318 100644
--- a/tests/src/configs/dangerousCalls.php
+++ b/tests/src/configs/dangerousCalls.php
@@ -23,3 +23,4 @@
 var_export([]);
 var_export([1], true);
 var_export([2], false);
+phpinfo();