如何保护Laravel环境文件中存储的数据库凭据? [英] How to secure database credentials stored in Laravel environment files?

问题描述

我最近切换到Laravel的基于环境的应用程序部署，并且我决定使用$ _ENV将本地和生产服务器的凭据存储在.env文件中，但是我发现在打开调试功能时出现了一个异常引发错误时，显示环境变量公开数据库凭据.

I've recently switched to environment based application deployments for Laravel and I've decided to store credentials for my local and production server in .env files using $_ENV however I've discovered when debugging is turned on and an exception is thrown the error displays the environment variables exposing database credentials.

现在，我确定调试将始终在生产环境中进行，因为这是我的默认设置，然后在本地环境中的本地文件夹中覆盖它，但是 if 会以某种方式调试启用了生产功能，并且用户强制执行404异常，那么他们所需要做的就是读取页面，直到他们在普通视图中看到环境变量并暴露凭据为止.它在文档中说，对于任何实际"应用程序，最好的做法是使数据库凭据远离实际配置. 我在这里可能有点偏执.

Now I'm certain debugging will always be off on production because that's what I have it default to, then I override it in a local folder for my local environment however, what if somehow someway debugging is turned on on production and a user forces a 404 exception, all they need to do is read down the page until they see the environment variables in plain view exposing credentials. In the docs, it said it's best practice for any 'real' application to keep database credentials away from the actual config. I may be a bit paranoid here.

有没有办法限制laravel显示的调试屏幕中显示的内容?

Is there a way I can limit what is shown in the debug screen displayed by laravel?

推荐答案

我最近遇到了同样的问题，而我正在从事的一个项目要求我暂时向邪恶的世界开放我的开发机器以测试一些API回调.

I just recently bumped into the same problem, while a project I was working on required me to temporarily open up my dev machine to the evil outside world to test some API callbacks.

因此，每当触发whoops时，我便公开了我所有的宝贵密钥和密码.即使这是一台盲目的API回调机器，他们也有机会记录对他们请求的响应，并且有些工程师会筛选它们并找到一些AWS密钥，

Hereby, I exposed all my precious keys and passwords whenever whoops was triggered. Even if it was a blind API callback machine, chances of them logging responses to their requests and some engineer sifting through them and finding some AWS keys, no thanks.

这就是我现在正在使用的:

This is what I'm using now:

App::error(function (Exception $exception, $code)
{
    // Never, ever, use environment variables in responses, not even when debugging
    $_SERVER = array_except($_SERVER, array_keys($_ENV));
    $_ENV = [];
});

这篇关于如何保护Laravel环境文件中存储的数据库凭据?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！