Dot-env variables easily exposed

Laravel exposes all env details if it is set in debug mode and any route error occur.

It’s dangerous even during development. Can we hide this..?

Asked on July 22, 2020 in Laravel.
Add Comment
2 Answer(s)

Yes we can,

by just blacklisting. Adding the code below in config/app.php would hide all environment variables from the whoops page:

'debug_blacklist' => [
        '_SERVER' => array_keys($_ENV),
        '_ENV' => array_keys($_ENV),        
],
Answered on July 22, 2020.
Add Comment

You can even use,

 

'debug_blacklist' => [
        '_COOKIE' => array_keys($_COOKIE),
        '_SERVER' => array_keys($_SERVER),
        '_ENV' => array_keys($_ENV),        
    ],
Answered on July 22, 2020.
Add Comment

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.