How to hide .env passwords in Laravel whoops output?

Question

How can I hide my passwords and other sensitive environment variables on-screen in Laravel\'s whoops output?

Sometimes other people are looking at my development wor

Answer 1

I struggled with this too for a bit on a dev machine. my solution was to edit vendor/filp/whoops/src/Whoops/Handler/PrettyPageHandler.php and add in:

public function sanitizePrivate($data, $badwords){
    foreach ($data as $key=>$value) {
       
        foreach ($badwords as $keyword) {
               // dd($key);
            if (strpos(strtolower($key), $keyword) !== FALSE) {
                $data[$key] = "***************";
            }
        }
    }
    return $data;
}

This converts all the incoming data to lowercase and then searches for partial matches so you don't have to specify every variation of password variable names. Then in the handle() function, define terms you want to exclude.

$badwords = array("password", "pwd", "secret", "key", "token", "salt", "mail");
$_SERVER=$this->sanitizePrivate($_SERVER, $badwords);
$_ENV=$this->sanitizePrivate($_ENV, $badwords);