Laravel Hide .env Variables and Details From Debug Output

Published on July 15, 2020 51 sec read

In this tutorial, I’m going to share how to hide .env variables from Laravel error page. Let’s get started:

Table of Contents

  1. Hide Specific Variables
  2. Hide All Variable
  3. Hide Except Variables
  4. Stop Debugging

Hide Specific Variables

From Laravel 5.5.13, we’re able to hide variables by by listing them under the key debug_blacklist in config/app.php. For example, given this config:

return [
    // ...
    'debug_blacklist' => [
        '_ENV' => [
            'APP_KEY',
            'DB_PASSWORD',
            'REDIS_PASSWORD',
            'MAIL_PASSWORD',
            'PUSHER_APP_KEY',
            'PUSHER_APP_SECRET',
        ],
        '_SERVER' => [
            'APP_KEY',
            'DB_PASSWORD',
            'REDIS_PASSWORD',
            'MAIL_PASSWORD',
            'PUSHER_APP_KEY',
            'PUSHER_APP_SECRET',
        ],
        '_POST' => [
            'password',
        ],
    ],
];

Results in this output:

Hide All Variables

We’re able to hide all variables like this:

return [
    // ...
    'debug_blacklist' => [
        '_COOKIE' => array_keys($_COOKIE),
        '_SERVER' => array_keys($_SERVER),
        '_ENV' => array_keys($_ENV), 
    ],
];

Results in this output:

Hide Except Variables

If we need to whitelist a property or two, we ca do so:

return [
    // ...
    'debug_blacklist' => [
        '_COOKIE' => array_diff(
            array_keys($_COOKIE),
            explode(",", env('DEBUG_COOKIE_WHITELIST', ""))
        ),
        '_SERVER' => array_diff(
            array_keys($_SERVER),
            explode(",", env('DEBUG_SERVER_WHITELIST', ""))
        ),
        '_ENV' => array_diff(
            array_keys($_ENV),
            explode(",", env('DEBUG_ENV_WHITELIST', ""))
        ),
    ],
];

Then in your .env, add this variables:

DEBUG_SERVER_WHITELIST="APP_URL,QUERY_STRING"

Stop Debugging

To make .env variables 100% secure, you should turn off debugging. In .env file, make:

APP_DEBUG=false
That’s it. Thanks for reading. 🙂

Monthly Newsletter

One email a month, packed with the latest tutorials, delivered straight to your inbox.
We'll never send any spam or promotional emails.
Author

Hey, I'm Md Obydullah. I build open-source projects and write on Laravel, Linux server, modern JavaScript and more on web development. If you enjoy my content, please consider supporting what I do!

Follow Buy me a coffeeBuy me a coffee

Leave a Reply

Your email address will not be published. Required fields are marked *