5

How can I hide my passwords and other sensitive environment variables on-screen in Lumen (Not Laravel)?

Sometimes we either forget or test smth in development and make debug=false in the .env file. We maybe don't want other people to see such information even in development phase.

Also for some people who don't know this, if an exception is thrown while opening a page or making a request, everything that is in the .env file is shown in the browser, including db passwords etc - "and this is how you debug"!

I have found a solution for Laravel but I need it for Lumen also!

Solution for Laravel: How to hide .env passwords in Laravel whoops output?

It would be best if we had this as a default setting offer by Laravel team, but after some discussions in Laracast I'm not quite optimistic!

I HOPE DEVELOPERS KNOW THIS ISSUE AND BE VERY VERY CAREFUL BECAUSE FORGETTING IT OR EVEN TESTING IT IN DEVELOPMENT HAS A HUGE HUGE RISK OF BEING HACKED!

Thank You!

Klo
  • 53
  • 1
  • 6

3 Answers3

0

2 options:

  1. Don't install dev dependencies: composer install --no-dev
  2. Use a professional MVC framework
Pieterjan
  • 2,738
  • 4
  • 28
  • 55
0

You can hide the sensitive information by adding following code in config/app.php

'debug_blacklist' => [
    '_ENV' => [
        'APP_KEY',
        'DB_PASSWORD',
    ],
    '_SERVER' => [
        'APP_KEY',
        'DB_PASSWORD',
    ],
    '_POST' => [
        'password',
    ],
],
SREE ANI
  • 304
  • 2
  • 5
  • 13
-1

you can totally customize debug output in the ÈxceptionHandler class.

its up to you, how you want the exception to be transformed into a json response

Max
  • 1
  • 2
  • 5
    I'm tired of hearing all the time this "it's up to you"! Why having a framework then? When smth becomes standard than it needs to be provided as a default! NO? – Klo Jul 09 '18 at 10:28