How to hide .env passwords in Laravel whoops output?

As of Laravel 5.5.13, you can censor variables by listing them under the key debug_blacklist in config/app.php. When an exception is thrown, whoops will mask these values with asterisks * for each character.

For example, given this config/app.php

return [    // ...    'debug_blacklist' => [        '_ENV' => [            'APP_KEY',            'DB_PASSWORD',            'REDIS_PASSWORD',            'MAIL_PASSWORD',            'PUSHER_APP_KEY',            'PUSHER_APP_SECRET',        ],        '_SERVER' => [            'APP_KEY',            'DB_PASSWORD',            'REDIS_PASSWORD',            'MAIL_PASSWORD',            'PUSHER_APP_KEY',            'PUSHER_APP_SECRET',        ],        '_POST' => [            'password',        ],    ],];

Results in this output:

First of all, love the solution by Jeff above.

2nd, if like me you wanna hide all the env variables while still use whoops, here is a solution:

'debug_blacklist' => [        '_COOKIE' => array_keys($_COOKIE),        '_SERVER' => array_keys($_SERVER),        '_ENV' => array_keys($_ENV),            ],

Output:

EDIT:

1. Legend has it that since laravel 7x you would need debug_hide key instead
2. If you want to hide session and cookies in Ignition (as newer versions of laravel use flare/ignition for errors), use this:Laravel / Ignition: How to hide Session info from Request Tab?

Thanks Jeff and Raheel for helping out, but I just found a little gotcha:

Even if I clear out all environment keys from _ENV, the same keys are STILL exposed through the _SERVER variables listed.

Adding the code below in config/app.php would hide all environment variables from the whoops page:

'debug_blacklist' => [        '_SERVER' => array_keys($_ENV),        '_ENV' => array_keys($_ENV),        ],