How to hide .env passwords in Laravel whoops output?

Question

How can I hide my passwords and other sensitive environment variables on-screen in Laravel's whoops output?

Sometimes other people are looking at my development work. I don't want them to see these secrets if an exception is thrown, but I also don't want to have to keep toggling debug on and off, or spin up a dedicated site just for a quick preview.

Answer 1

As of Laravel 5.5.13, you can censor variables by listing them under the key debug_blacklist in config/app.php. When an exception is thrown, whoops will mask these values with asterisks * for each character.

For example, given this config/app.php

return [      // ...      'debug_blacklist' => [         '_ENV' => [             'APP_KEY',             'DB_PASSWORD',             'REDIS_PASSWORD',             'MAIL_PASSWORD',             'PUSHER_APP_KEY',             'PUSHER_APP_SECRET',         ],         '_SERVER' => [             'APP_KEY',             'DB_PASSWORD',             'REDIS_PASSWORD',             'MAIL_PASSWORD',             'PUSHER_APP_KEY',             'PUSHER_APP_SECRET',         ],         '_POST' => [             'password',         ],     ], ]; 

Results in this output:

Answer 2

First of all, love the solution by Jeff above.

2nd, if like me you wanna hide all the env variables while still use whoops, here is a solution:

'debug_blacklist' => [         '_COOKIE' => array_keys($_COOKIE),         '_SERVER' => array_keys($_SERVER),         '_ENV' => array_keys($_ENV),             ], 

Output:

EDIT: Legend has it that since laravel 7x you would need debug_hide key instead