I've recently switched to environment based application deployments for Laravel and I've decided to store credentials for my local and production server in .env files using $_ENV however I've discovered when debugging is turned on and an exception is thrown the error displays the environment variables exposing database credentials.
Now I'm certain debugging will always be off on production because that's what I have it default to, then I override it in a local folder for my local environment however, what if somehow someway debugging is turned on on production and a user forces a 404 exception, all they need to do is read down the page until they see the environment variables in plain view exposing credentials. In the docs, it said it's best practice for any 'real' application to keep database credentials away from the actual config. I may be a bit paranoid here.
Is there a way I can limit what is shown in the debug screen displayed by laravel?
I just recently bumped into the same problem, while a project I was working on required me to temporarily open up my dev machine to the evil outside world to test some API callbacks.
Hereby, I exposed all my precious keys and passwords whenever whoops
was triggered. Even if it was a blind API callback machine, chances of them logging responses to their requests and some engineer sifting through them and finding some AWS keys, no thanks.
This is what I'm using now:
App::error(function (Exception $exception, $code)
{
// Never, ever, use environment variables in responses, not even when debugging
$_SERVER = array_except($_SERVER, array_keys($_ENV));
$_ENV = [];
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With