Will It Vibe logoWill It Vibe?
LARAVEL-005High severity-15 points

Debug mode enabled alongside a production environment

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

The same env file declares both APP_ENV=production and APP_DEBUG=true. In production this renders Ignition/Whoops error pages with full stack traces, local variable values, environment variables, and the last SQL queries to anyone who triggers an unhandled exception.

Why it matters

With APP_ENV=production and APP_DEBUG=true both set, Laravel renders full Ignition or Whoops error pages on any unhandled exception: stack traces, the values of local variables, environment variables (frequently including other secrets from the same .env file), and recent database queries. This exact misconfiguration has directly caused real production data breaches in Laravel applications.

How to fix it

Set APP_DEBUG=false in the production environment file, and rely on proper error reporting instead: log exceptions server-side via the configured logging channel, and show a generic error page to users. Keep APP_DEBUG=true only in local or example env files that never get deployed.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks