diff --git a/Dockerfile b/Dockerfile
index 919cfa8..654aafa 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -29,7 +29,12 @@ RUN \
 # ... but ensure it exists with the right owner
     && mkdir -p /var/www \
     && echo "<?php phpinfo();" > /var/www/index.php \
-    && chown -R www-data.www-data /var/www
+    && chown -R www-data.www-data /var/www \
+# Bring php-fpm configs into a more controallable state
+    && rm /usr/local/etc/php-fpm.d/www.conf.default \
+    && mv /usr/local/etc/php-fpm.d/docker.conf /usr/local/etc/php-fpm.d/00-docker.conf \
+    && mv /usr/local/etc/php-fpm.d/www.conf /usr/local/etc/php-fpm.d/10-www.conf \
+    && mv /usr/local/etc/php-fpm.d/zz-docker.conf /usr/local/etc/php-fpm.d/20-docker.conf
 
 WORKDIR /var/www
 
@@ -54,6 +59,11 @@ ENV REDIRECT_PROTO="auto"
 # config ini in /usr/local/etc/php/conf.d/
 ENV XDEBUG=false
 
+# Which environment variables should be available to PHP? For security reasons we do not expose
+# any of them to PHP by default.
+# Valid values are "none" and "all"
+ENV ENV_WHITELIST="none"
+
 ADD etc/ /etc/
 ADD usr/ /usr/
 
diff --git a/etc/supervisor.d/docker.ini b/etc/supervisor.d/docker.ini
index b1a65f6..42ea89b 100644
--- a/etc/supervisor.d/docker.ini
+++ b/etc/supervisor.d/docker.ini
@@ -3,7 +3,7 @@ nodaemon=true
 pidfile=/var/run/supervisord.pid
 
 [program:php-fpm]
-command = /usr/local/sbin/php-fpm
+command=/usr/local/sbin/php-fpm
 autostart=true
 autorestart=true
 priority=5
diff --git a/usr/bin/docker-start b/usr/bin/docker-start
index 44de81f..e20a66c 100755
--- a/usr/bin/docker-start
+++ b/usr/bin/docker-start
@@ -40,4 +40,12 @@ else
     rm -f "${XDEBUG_INI}"
 fi
 
+if [ "${ENV_WHITELIST}" == "all" ]; then
+    rm -rf /usr/local/etc/php-fpm.d/50-clear-env.conf
+elif [ "${ENV_WHITELIST}" != "none" ]; then
+    echo "ERROR: Invalid value for ENV_WHITELIST, got '${ENV_WHITELIST}'" >&2
+    echo "ERROR: Valid values are: 'none' or 'all'" >&2
+    exit 1
+fi
+
 exec /usr/bin/supervisord -c /etc/supervisord.conf
diff --git a/usr/local/etc/php-fpm.d/50-clear-env.conf b/usr/local/etc/php-fpm.d/50-clear-env.conf
new file mode 100644
index 0000000..4f0d61c
--- /dev/null
+++ b/usr/local/etc/php-fpm.d/50-clear-env.conf
@@ -0,0 +1,2 @@
+[www]
+clear_env = On