Level 73
Why would a class name be a security risk?
Then it would be the same as showing the model name in the url.
Jun 24, 2024
2
Level 1
Exposing Model Names in Laravel API Responses
Hey everyone,
I recently noticed that Laravel returns this kind of message in the API response (404) when a record is not found:
{
"message": "No query results for model [App\Models\MaskedReport] 123"
}
Personally, I don't like that the model name (in this case, MaskedReport) is exposed to the end user, especially when the app environment is set to "production". It feels like a potential security risk.
I'm curious if Laravel has thought about this and if there's a simple solution to avoid exposing the model name in production. Or do I need to create a custom error exception to handle this?
Thanks!
Level 60
https://laravel.com/docs/11.x/errors#rendering-exceptions
//bootstrap/app.php
->withExceptions(function (Exceptions $exceptions) {
$exceptions->render(function (NotFoundHttpException $e, Request $request) {
return response()->json([
'message' => 'Record not found.'
], 404);
});
})
1 like
Please or to participate in this conversation.