Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Laravel

Debug Mode Enabled

Description:

Laravel can expose sensitive data when debug mode is left enabled.

Sensitive data can include (PHP) source code and in severe cases also environment variables, including the APP_KEY, a key that is responsible for encrypting all session tokens and even database connection strings.

Testing:

Navigate to the following app route and manually examine the response:

/profiles
/_debugbar

Remediation:

Debug mode should be turned off in production environments and environments that are accessible by everyone on the internet in general.

To disable debug mode in your Laravel app, simply set the APP_DEBUG environment variable in your .env file to false:

...
APP_DEBUG=false
...

Potential Impact:

In case malicious users get hold of the APP_KEY secret, they'd be able to encrypt any session token and other app secrets introducing a whole new set of security vulnerabilities to the company.

References:

PreviousLaravelNextLaravel Telescope Enabled In Production

Last updated 12 months ago

Was this helpful?

https://laravel.com/docs/10.x/deployment#debug-mode