Level 104
Debug mode is intended for debugging din development - this includes the environment variables. A failure on your part to understand the consequences that are clearly outlined in the docs is not an issue with the framework.
May 5, 2021
3
Level 1
Debug mode security issue
I think and strongly believe that laravel shouldn't expose environment variables in debug mode.
What happened to me recently is:
I setup a staging environment where other team members should be able to test and work but some online bots captured this instance in debug mode and exploited my third party service credentials such as SMTP provider.
I see no reason why should this mode expose .env at all.
Level 1
@tykus I totally understand you, but what's missing from the framework is a mode which can be online so that teams can use it to QA,TEST and reproduce any errors and not expose any credentials in the same time.
Level 104
what's missing from the framework is a mode which can be online so that teams can use it to QA,TEST and reproduce any errors
That is not debugging.
Use a bug tracking tool like Sentry, Bugsnag etc. if the staging site must be publically accessible, otherwise, password-protect the staging site, or use the maintenance mode secret.
Please or to participate in this conversation.