How to hide .env passwords in Laravel whoops output?

How can I hide my passwords and other sensitive environment variables on-screen in Laravel's whoops output?

Sometimes other people are looking at my development work. I don't want them to see these secrets if an exception is thrown, but I also don't want to have to keep toggling debug on and off, or spin up a dedicated site just for a quick preview.

whoops output screenshot with passwords shown

As of Laravel 5.5.13, you can censor variables by listing them under the key debug_blacklist in config/app.php. When an exception is thrown, whoops will mask these values with asterisks * for each character.

For example, given this config/app.php

return [

    // ...

    'debug_blacklist' => [
        '_ENV' => [
            'APP_KEY',
            'DB_PASSWORD',
            'REDIS_PASSWORD',
            'MAIL_PASSWORD',
            'PUSHER_APP_KEY',
            'PUSHER_APP_SECRET',
        ],
        '_SERVER' => [
            'APP_KEY',
            'DB_PASSWORD',
            'REDIS_PASSWORD',
            'MAIL_PASSWORD',
            'PUSHER_APP_KEY',
            'PUSHER_APP_SECRET',
        ],
        '_POST' => [
            'password',
        ],
    ],
];

Results in this output:

whoops exception page

First of all, love the solution by Jeff above.

2nd, if like me you wanna hide all the env variables while still use whoops, here is a solution:

'debug_blacklist' => [
        '_COOKIE' => array_keys($_COOKIE),
        '_SERVER' => array_keys($_SERVER),
        '_ENV' => array_keys($_ENV),        
    ],

Output:

enter image description here

EDIT: Legend has it that since laravel 7x you would need debug_hide key instead

Thanks Jeff and Raheel for helping out, but I just found a little gotcha:

Even if I clear out all environment keys from _ENV, the same keys are STILL exposed through the _SERVER variables listed.

Adding the code below in config/app.php would hide all environment variables from the whoops page:

'debug_blacklist' => [
        '_SERVER' => array_keys($_ENV),
        '_ENV' => array_keys($_ENV),        
],

I've made a package to solve this problem.

Just install it using

composer require glaivepro/hidevara

Most of the server and all the env variables will be removed. Any password-like fields in $_POST will have their values hidden.

You can also customize it in either blacklist or whitelist approach to show/obfuscate/remove fields however you like.

Error in phpMyAdmin after updating to v4.8.0: The $cfg['TempDir'] (./tmp/) is not accessible

How can I get the name of an html page in Javascript?

Sorting strings with numbers in Bash [duplicate]

RecyclerView not calling onCreateViewHolder or onBindView

How to check what type of DNS server is set up on my machine by default? (DNS-over-HTTPS, DNS-over-TLS, other?)

Virtual box 6.1.26 Host Windows 7 64bit and VB only showing 32bit Windows VB available, how to fix?

Can't convert vim macro text to normal characters

Debian install: No Ethernet Card detected

Can't find option to activate legacy boot mode on Asus EFI BIOS

Eisenstein Criterion

Is this a known method for solving linear equations in 1 variable?

How to calculate curvature of the Earth and its effect on a 25-meter footprint?

How to hide .env passwords in Laravel whoops output?

Related

Recent Posts