Hide passwords in Laravel’s whoops output

By default, Laravel’s whoops output displays passwords and other sensitive variables in your env file on-screen. How to keep it hidden from the screen? In Laravel there is a new feature for this. It allows you to blacklist the variables on config/app.php under debug_blacklist. If an exception is thrown you can mask these values with asterisks instead of each character.


return [

// ...

'debug_blacklist' => [

'_ENV' =>[

'APP_KEY',

'DB_PASSWORD',

'REDIS_PASSWORD',

'MAIL_PASSWORD',

'PUSHER_APP_KEY',

'PUSHER_APP_SECRET',

],

'_SERVER' =>[

'APP_KEY',

'DB_PASSWORD',

'REDIS_PASSWORD',

'MAIL_PASSWORD',

'PUSHER_APP_KEY',

'PUSHER_APP_SECRET',

],

'_POST' =>[

'password',

],

],

];


To keep every variables of env file hidden use the following code.


'debug_blacklist' =>[

'_COOKIE' =>array_keys($_COOKIE),

'_SERVER' =>array_keys($_SERVER),

'_ENV' =>array_keys($_ENV),

],