How can I hide my passwords and other sensitive environment variables on-screen in Laravel's whoops output?
Sometimes other people are looking at my development work. I don't want them to see these secrets if an exception is thrown, but I also don't want to have to keep toggling debug on and off, or spin up a dedicated site just for a quick preview.
As of Laravel 5.5.13, there's a new feature that allows you to blacklist certain variables in config/app.php under the key debug_blacklist. When an exception is thrown, whoops will mask these values with asterisks * for each character.
For example, given this config/app.php
return [
// ...
'debug_blacklist' => [
'_ENV' => [
'APP_KEY',
'DB_PASSWORD',
'REDIS_PASSWORD',
'MAIL_PASSWORD',
'PUSHER_APP_KEY',
'PUSHER_APP_SECRET',
],
'_SERVER' => [
'APP_KEY',
'DB_PASSWORD',
'REDIS_PASSWORD',
'MAIL_PASSWORD',
'PUSHER_APP_KEY',
'PUSHER_APP_SECRET',
],
'_POST' => [
'password',
],
],
];
Results in this output:
First of all, love the solution by Jeff above.
2nd, if like me you wanna hide all the env variables while still use whoops, here is a solution:
'debug_blacklist' => [
'_COOKIE' => array_keys($_COOKIE),
'_SERVER' => array_keys($_SERVER),
'_ENV' => array_keys($_ENV),
],
Output:
Thanks Jeff and Raheel for helping out, but I just found a little gotcha:
Even if I clear out all environment keys from _ENV, the same keys are STILL exposed through the _SERVER variables listed.
Adding the code below in config/app.php would hide all environment variables from the whoops page:
'debug_blacklist' => [
'_SERVER' => array_keys($_ENV),
'_ENV' => array_keys($_ENV),
],
I've made a package to solve this problem.
Just install it using
composer require glaivepro/hidevara
Most of the server and all the env variables will be removed. Any password-like fields in $_POST will have their values hidden.
You can also customize it in either blacklist or whitelist approach to show/obfuscate/remove fields however you like.
The solution by @jeff + @raheel is great!!! On a project recently we found we sometimes wanted to whitelist a property or two, so building on the above, you can whitelist specific properties you want to debug with something like:
'debug_blacklist' => [
'_COOKIE' => array_diff(array_keys($_COOKIE), array()),
'_SERVER' => array_diff(array_keys($_SERVER), array('APP_URL', 'QUERY_STRING')),
'_ENV' => array_diff(array_keys($_ENV), array()),
],
If you want to allow that list to be configured via .env, you can do something like:
'debug_blacklist' => [
'_COOKIE' => array_diff(
array_keys($_COOKIE),
explode(",", env('DEBUG_COOKIE_WHITELIST', ""))
),
'_SERVER' => array_diff(
array_keys($_SERVER),
explode(",", env('DEBUG_SERVER_WHITELIST', ""))
),
'_ENV' => array_diff(
array_keys($_ENV),
explode(",", env('DEBUG_ENV_WHITELIST', ""))
),
],
Then in your .env, do something like:
DEBUG_SERVER_WHITELIST="APP_URL,QUERY_STRING"
Cheers!
Laravel 5.6 not works for my. but this works:
$envKeys = [];
$serverKeys = [];
$cookieKeys = [];
foreach ( $_ENV as $key => $value ) { if(is_string($value)) $envKeys[] = $key; }
foreach ( $_SERVER as $key => $value ) { if(is_string($value)) $serverKeys[] = $key; }
foreach ( $_COOKIE as $key => $value ) { if(is_string($value)) $cookieKeys[] = $key; }
return [
// ...
'debug_blacklist' => [
'_COOKIE' => $cookieKeys,
'_SERVER' => $serverKeys,
'_ENV' => $envKeys,
],
];
I would be grateful for a better solution.
来源:https://stackoverflow.com/questions/46407009/how-to-hide-env-passwords-in-laravel-whoops-output