How to hide .env passwords in Laravel whoops output?

Question

How can I hide my passwords and other sensitive environment variables on-screen in Laravel\'s whoops output?

Sometimes other people are looking at my development wor

Answer 1

Usually for local development, we should set the APP_DEBUG environment variable to true. So that we can have better insights of the debugging error and warnings.

But in the production environment, this value should always be false. If the value is set to true in production, you risk exposing sensitive env passwords to your application’s end users.

As of Laravel 5.5.x also provides a solution for it.

You just need to add the debug_blacklist option in your config/app.php configuration file. After adding this option, Laravel will blacklist all the keys mentioned in debug_blacklist option with asterisk.

You can use it with two ways:

Method 1 – Blacklist selective ENV keys and passwords

return [
    // ...
    'debug_blacklist' => [
        '_ENV' => [
            'APP_KEY',
            'DB_PASSWORD',
        ],
        '_SERVER' => [
            'APP_KEY',
            'DB_PASSWORD',
        ],
        '_POST' => [
            'password',
        ],
    ],
];

Method 2 – Blacklist all the ENV keys and passwords

return [
 // ...
'debug_blacklist' => [
  '_COOKIE' => array_keys($_COOKIE),
  '_SERVER' => array_keys($_SERVER),
  '_ENV' => array_keys($_ENV),
  ],
]

Reference Taken From : https://techjeni.com/how-to-secure-and-hide-env-passwords-from-laravel-debug-output/