Support the ongoing development of Laravel.io →
Security
Last updated 6 months ago.
0
moderator

The developer should have set the debug to true explicit to have it displayed, the default is false. See: https://github.com/laravel/laravel/blob/master/config/app.php#L42

So by default it is save and only if you change it you can expose this. For me that makes a big different.

The debug option is to help you with debugging, then you sometimes need to have the environment variables. But if correct you never use this in production.

0

The fact that you only THINK about putting secret variables in a HTTP response IN ANY WAY, suggests you don't wear high priority on security.

It shouldn't even be this way by default. You don't even warn developers that secret passwords are exposed on the WhoopsPage.

You really can't expect a small organisation to setup 2 environments. 2 environments to update Linux, Apache, PHP5-7-7.2-7.3..., mysql-server, and so on and so on.

If someone wants to know the environment variables he just needs to open the damn file. It's even easier than opening the electric lock of your car.

I'm not mad, I just think this is a wrong default configuration that leads to pownes when server-admins overlook just 1 teeny-tiny setting. I hope sincerly that this will be changed in future releases.

When developers read that this is only just possible, it would be enough to drive them right into the arms of Microsoft with ASP.NET. It would be a shame since Laravel is way, way more performant than ASP.NET.

Last updated 3 years ago.
0
moderator

It isn't by default. By default it doesn't show the environment variables. And you are warned about it, see: https://laravel.com/docs/5.7/errors#configuration

I'm not mad, I just think this is a wrong default configuration that leads to pownes when server-admins overlook just 1 teeny-tiny setting. I hope sincerly that this will be changed in future releases.

It isn't a tiny setting to overlook. It is a tinny setting that doesn't need to change. A server admin that change the default without knowing is someone I don't want to have.

For me this is the same as using the debugbar and complaining that you see it in production. If you change the config without knowing what you do you shouldn't be allowed to change the config.

0

I have been using homestead for a while. But some features you want to add to your site aren't possible in homestead/vagrantbox.

0

With respect, the least you can expect from a wannabe framework developer is that they understand that credentials should never be printed in a webpage, doesn't matter if it's while debugging or not.

Professional MVC frameworks provide an advanced IDE where you can easily debug your application locally. Laravel doesn't. It's pretty easy to see why after almost 8 years Laravel doesn't even manage to have 100.000 sites hosted.

Even the statement that nothing can go wrong when debug mode is disabled is entirely false: https://www.google.com/amp/s/blog.hacken.io/dangers-of-laravel-debug-mode-enabled%3fhs_amp=true https://stackoverflow.com/questions/48439665/weird-laravel-security-behavior/55793767#55793767

But off course you can always hide yourself behind

composer install --no-dev

to run from your responsibilities like you guys do.

And still it's funny how you talk about "professional developers" while the framework is printing credentials in a HTTP response. ROTFL

School example of documentation: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-2.2&tabs=visual-studio

Last updated 3 years ago.
0

Sign in to participate in this thread!

LoadForge

Your banner here too?

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2022 Laravel.io - All rights reserved.