Laravel whoops output – How to hide. env passwords

As of Laravel 5.5.13, there’s a new feature that allows you to blacklist certain variables in config/app.php under the key debug_blacklist.

When an exception is thrown, whoops will mask these values with asterisks * for each character.

To activate this feature, add the next lines inside config/app.php

...
    'debug_blacklist' => [
        '_ENV' => [
            'APP_KEY',
            'DB_PASSWORD',
            'REDIS_PASSWORD',
            'MAIL_PASSWORD',
            'PUSHER_APP_KEY',
            'PUSHER_APP_SECRET',
        ],
        '_SERVER' => [
            'APP_KEY',
            'DB_PASSWORD',
            'REDIS_PASSWORD',
            'MAIL_PASSWORD',
            'PUSHER_APP_KEY',
            'PUSHER_APP_SECRET',
        ],
        '_POST' => [
            'password',
        ],
    ],
...

Save the file and clear the config cache with

php artisan config:clear

After this, all keys added inside debug_blacklist array will be replaced with asterisks (************)

One thought on “Laravel whoops output – How to hide. env passwords”

  1. I still have no clue of why an MVC framework prints all environment variables on a debug page. Apparently it’s just too hard to double-click the .env file in PHPStorm.

    It’s also the reason why barely 2 % of the websites worldwide is using Laravel. I’m migrating everything to ASP.NET Core for the moment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.