How to hide .env passwords in Laravel whoops output?
As of Laravel 5.5.13, you can censor variables by listing them under the key debug_blacklist
in config/app.php
. When an exception is thrown, whoops will mask these values with asterisks *
for each character.
For example, given this config/app.php
return [ // ... 'debug_blacklist' => [ '_ENV' => [ 'APP_KEY', 'DB_PASSWORD', 'REDIS_PASSWORD', 'MAIL_PASSWORD', 'PUSHER_APP_KEY', 'PUSHER_APP_SECRET', ], '_SERVER' => [ 'APP_KEY', 'DB_PASSWORD', 'REDIS_PASSWORD', 'MAIL_PASSWORD', 'PUSHER_APP_KEY', 'PUSHER_APP_SECRET', ], '_POST' => [ 'password', ], ],];
Results in this output:
First of all, love the solution by Jeff above.
2nd, if like me you wanna hide all the env variables
while still use whoops, here is a solution:
'debug_blacklist' => [ '_COOKIE' => array_keys($_COOKIE), '_SERVER' => array_keys($_SERVER), '_ENV' => array_keys($_ENV), ],
Output:
EDIT:
- Legend has it that since laravel 7x you would need
debug_hide
key instead - If you want to hide session and cookies in Ignition (as newer versions of laravel use flare/ignition for errors), use this:Laravel / Ignition: How to hide Session info from Request Tab?
Thanks Jeff and Raheel for helping out, but I just found a little gotcha:
Even if I clear out all environment keys from _ENV
, the same keys are STILL exposed through the _SERVER
variables listed.
Adding the code below in config/app.php
would hide all environment variables from the whoops page:
'debug_blacklist' => [ '_SERVER' => array_keys($_ENV), '_ENV' => array_keys($_ENV), ],