Default debug blacklist/whitelist for new projects?

[kaphert]

Based on this pull request laravel/framework#21336 and this comment laravel/framework#21336 (comment)

As suggested in the pull request. Would it be a good idea if we hide the credentials from the whoops debug page by default?

It can prevent accidental password leaks for projects that are deployed to a live environment with debug mode still on.

[BrandonSurowiec]

Sounds like a good idea to me. Go for it.

[tontonsb]

The problem seems to be that the Whoops package doesn't currently support whitelisting...

[tontonsb]

The problem with packages is that the stuff can get dumped before packages are registered. I did a similar package, but I couldn't find a reasonable way to register it soon enough. Currently I have it so that the developer must call my class in bootstrap/app.php.

The only "automatic" way I could think of was to edit the bootstrap automatically. Maybe I'll do that later.

[kaphert]

Note for anyone reading this. A simple approach is to just add this to you config/app.php file:

'debug_blacklist' => [
        '_COOKIE' => array_keys($_COOKIE),
        '_SERVER' => array_keys($_SERVER),
        '_ENV' => array_keys($_ENV),
    ],

This will hide the most sensitive data from your whoops error page. My suggestion in this ticket was to make something like this the default setting.

[VishwasShetty]

Note for anyone reading this. A simple approach is to just add this to you config/app.php file:

'debug_blacklist' => [
        '_COOKIE' => array_keys($_COOKIE),
        '_SERVER' => array_keys($_SERVER),
        '_ENV' => array_keys($_ENV),
    ],

This will hide the most sensitive data from your whoops error page. My suggestion in this ticket was to make something like this the default setting.

Sir actually i tried your code in my project.but it didnt worked.
My frame work is 5.8.2.
can you help me out.

[BrandonSurowiec]

@VishwasShetty install Laravel Ignition to be your error page and you don't need to worry about the blacklist anymore: https://flareapp.io/docs/ignition-for-laravel/installation

[tontonsb]

That is wrong. Sometimes the app crashes before Ignition is started but after Whoops is started, so one can still get their variables dumped in a most unexpected way.

[Chris1234567899]

This should be definitely hidden by default, no matter what!
Maybe people are aware of setting debug for production, but that does not apply equally in a test or development environment where debugging might be needed. Sensitive information (shared keys for external services for example) can be stored there as well.
I myself was not aware, that .env variables are shown by default if debug is set to true (even the thought seemed to ridiculous to be true). Huge security flaw!

Just stating that somewhere in the docs is simply not good enough. People might not read docs entirely or forget about it.

[JohnnyWalkerDigital]

As previous stated, you can add the following to config/app.php:

    'debug_blacklist' => [
        '_COOKIE' => array_keys($_COOKIE),
        '_SERVER' => array_keys($_SERVER),
        '_ENV' => array_keys($_ENV),
    ],

This DEFINITELY works.

And with Laravel 7 and 8 they added debug_hide, which does exactly the same thing.