Level 51
The problem is debug shows the code of your app when there is an error or issue and that’s a vulnerability.
1 like
Nov 17, 2022
9
Level 1
Problems that debug true in production can bring
What problems can it cause if in the .env file I put the application in production mode and debug true. Can someone access the database? or intervene in any function to change something?
Level 1
@webrobert how can someone change the code from debug view?
Or how exactly can someone use that code that appears from the error in the view?
Level 75
For security don't use debug in production, it could possibly show things like passwords.
Level 1
@jlrdw How can users find password? They can grant access on DB?
Level 75
@tilamap365 if an error shows password.
Level 102
Imagine you are doing some Http request to an api. But the request fails. Now in the error message it accidentally shows your private key for that api. Now the user has your api key and can do whatever they won't on that api, acting as you
Level 1
@Sinnbeck So I'm linking my question to a problem I encountered recently. I have an online panel and as I said debug is true but it is in production. And trying to log in to different PCs, in some of them when I try to log in I can't for X reasons that I don't know and I'm trying to solve it. I don't see any error in the console except in the network tab a request with the login route 200, and another with 204 no content. (this happens only in some devices). But one of my questions is, Is it possible that if I get this api and put it in my postman, this api will return my dates while I get a status of 200?
Level 102
@tilamap365 debug mode is only helpful when you are getting errors. And for errors you should check your logs or use an error tracker like LaraBug (free) or sentry (paid but more advanced)
1 like
Level 10
I agree with all above comments. I've a suggestion for system who wants to use app_debug on production for just admin if it exists.
// in app\Exceptions\Handler.php
public function render($request, Throwable $e)
{
if (in_array(get_class($e), [AuthenticationException::class,ValidationException::class, AuthorizationException::class])) {
return parent::render($request, $e);
}
if (config('app.debug') && auth()->check() && Gate::allows('admin')) {
return parent::render($request, $e);
}
return response()
->view('pages.error', [], 404);
}
So, if user gets auth or validation error, system will act as what should it do such as redirecting to login route or redirecting to back with validation messages.
For other exceptions, debug page will be rendered if and only if user is logged in and has admin ability.
And finally, users will see your custom 404 page if they don't have acccess.
But even though this solution, you should keep closed your app_debug on production and use it when an error which you should investigate is occured.
Please or to participate in this conversation.