How to hide .env passwords in Laravel whoops output?
How can I hide my passwords and other sensitive environment variables on-screen in Laravel\'s whoops output?
Sometimes other people are looking at my development wor
-
Just Change
APP_DEBUG=trueTo:
APP_DEBUG=falseIn the .env file.
讨论(0) -
As of Laravel 5.5.13, you can censor variables by listing them under the key
debug_blacklistinconfig/app.php. When an exception is thrown, whoops will mask these values with asterisks*for each character.For example, given this
config/app.phpreturn [ // ... 'debug_blacklist' => [ '_ENV' => [ 'APP_KEY', 'DB_PASSWORD', 'REDIS_PASSWORD', 'MAIL_PASSWORD', 'PUSHER_APP_KEY', 'PUSHER_APP_SECRET', ], '_SERVER' => [ 'APP_KEY', 'DB_PASSWORD', 'REDIS_PASSWORD', 'MAIL_PASSWORD', 'PUSHER_APP_KEY', 'PUSHER_APP_SECRET', ], '_POST' => [ 'password', ], ], ];Results in this output:
讨论(0) -
For Laravel 5.6-5.8:
'debug_blacklist' => [ '_COOKIE' => array_keys(array_filter($_COOKIE, function($value) {return is_string($value);})), '_SERVER' => array_keys(array_filter($_SERVER, function($value) {return is_string($value);})), '_ENV' => array_keys(array_filter($_ENV, function($value) {return is_string($value);})), ],讨论(0) -
Usually for local development, we should set the APP_DEBUG environment variable to true. So that we can have better insights of the debugging error and warnings.
But in the production environment, this value should always be false. If the value is set to true in production, you risk exposing sensitive env passwords to your application’s end users.
As of Laravel 5.5.x also provides a solution for it.
You just need to add the
debug_blacklistoption in yourconfig/app.phpconfiguration file. After adding this option, Laravel will blacklist all the keys mentioned indebug_blacklistoption with asterisk.You can use it with two ways:
Method 1 – Blacklist selective ENV keys and passwords
return [ // ... 'debug_blacklist' => [ '_ENV' => [ 'APP_KEY', 'DB_PASSWORD', ], '_SERVER' => [ 'APP_KEY', 'DB_PASSWORD', ], '_POST' => [ 'password', ], ], ];Method 2 – Blacklist all the ENV keys and passwords
return [ // ... 'debug_blacklist' => [ '_COOKIE' => array_keys($_COOKIE), '_SERVER' => array_keys($_SERVER), '_ENV' => array_keys($_ENV), ], ]Reference Taken From : https://techjeni.com/how-to-secure-and-hide-env-passwords-from-laravel-debug-output/
讨论(0) -
The solution by @jeff + @raheel is great!!! On a project recently we found we sometimes wanted to whitelist a property or two, so building on the above, you can whitelist specific properties you want to debug with something like:
'debug_blacklist' => [ '_COOKIE' => array_diff(array_keys($_COOKIE), array()), '_SERVER' => array_diff(array_keys($_SERVER), array('APP_URL', 'QUERY_STRING')), '_ENV' => array_diff(array_keys($_ENV), array()), ],If you want to allow that list to be configured via .env, you can do something like:
'debug_blacklist' => [ '_COOKIE' => array_diff( array_keys($_COOKIE), explode(",", env('DEBUG_COOKIE_WHITELIST', "")) ), '_SERVER' => array_diff( array_keys($_SERVER), explode(",", env('DEBUG_SERVER_WHITELIST', "")) ), '_ENV' => array_diff( array_keys($_ENV), explode(",", env('DEBUG_ENV_WHITELIST', "")) ), ],Then in your .env, do something like:
DEBUG_SERVER_WHITELIST="APP_URL,QUERY_STRING"Cheers!
讨论(0) -
Thanks Jeff and Raheel for helping out, but I just found a little gotcha:
Even if I clear out all environment keys from
_ENV, the same keys are STILL exposed through the_SERVERvariables listed.Adding the code below in
config/app.phpwould hide all environment variables from the whoops page:'debug_blacklist' => [ '_SERVER' => array_keys($_ENV), '_ENV' => array_keys($_ENV), ],讨论(0)
加载中...
- 热议问题