Laravel hidden attributes. e.g. Password - security

When you run User::all(), it returns a Collection object. This Collection contains all your Users in object form. Therefore, your Users will contain their passwords. This is so you can display the hashed password for whatever reason. However, as you said before, if you transform the Collection or Users into arrays or JSON, the password field should be gone if hidden.

Therefore, if you want to get rid of them, try running the following:

$array_of_users = Users::all()->toArray();$json_of_users = Users::all()->toJson();

dd() these both to inspect them. The password field will be gone.

This is explained in Laravel's documentation on serialization.

No, because you should NOT do something like that in production (or in the real world).

Your views, written in Blade, can receive a User::all() result and process it, but that's PHP (server), not HTML (client), and it will transform that data to HTML before it is passed to the client.

So this

print_r(User::all())

Is something that you'll never do to show to a user, it's something we use to debug, but it really means nothing.

But if you have any other examples, when sensitive data can be passed through a view to your client, we can discuss that too.

In laravel if you return any model object in controller that represent to any entity will be converted into JSON.
That is useful for API creation, and there hidden fields helps a lot