How can I hide my passwords and other sensitive environment variables on-screen in Laravel’s whoops output?
Sometimes other people are looking at my development work. I don’t want them to see these secrets if an exception is thrown, but I also don’t want to have to keep toggling debug on and off, or spin up a dedicated site just for a quick preview.
Advertisement
Answer
As of Laravel 5.5.13, you can censor variables by listing them under the key debug_blacklist
in config/app.php
. When an exception is thrown, whoops will mask these values with asterisks *
for each character.
For example, given this config/app.php
return [ // ... 'debug_blacklist' => [ '_ENV' => [ 'APP_KEY', 'DB_PASSWORD', 'REDIS_PASSWORD', 'MAIL_PASSWORD', 'PUSHER_APP_KEY', 'PUSHER_APP_SECRET', ], '_SERVER' => [ 'APP_KEY', 'DB_PASSWORD', 'REDIS_PASSWORD', 'MAIL_PASSWORD', 'PUSHER_APP_KEY', 'PUSHER_APP_SECRET', ], '_POST' => [ 'password', ], ], ];
Results in this output: