Should you leave the Laravel debug bar on a published site?

New to using Laravel and php. I’m working on a project, and there’s a debug bar on the bottom of a published web app.

Is this standard? Or should I tell my manager to remove it? Is there any security issues?

.env is currently:

APP_DEBUG=true

Answer

Yes, it is a security concern.

The debug bar should only be available to the developer(s) during development and never exposed to users on the Internet.

In a production environment, the APP_DEBUG property should be set to false.

Per Laravel documentation: https://laravel.com/docs/8.x/configuration#debug-mode

For local development, you should set the APP_DEBUG environment variable to true. In your production environment, this value should always be false. If the variable is set to true in production, you risk exposing sensitive configuration values to your application’s end users.