APP_KEY is missing or empty
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
Laravel uses APP_KEY to encrypt sessions, signed URLs, and anything passed through the Crypt facade. With no key set, encrypted cookies and sessions are either unprotected or the app throws on every request that touches them, and any encrypted data written before the key existed can never be decrypted.
Why it matters
APP_KEY is the encryption key Laravel uses for encrypted cookies, signed URLs, and anything passed through the Crypt facade. With no key, or an empty one, encrypted values either fail outright or, depending on configuration, are effectively unprotected, and anything encrypted before a key is eventually set can never be decrypted.
How to fix it
Generate a real key with php artisan key:generate, which writes a fresh base64-encoded key into APP_KEY in the .env file. Do this once per environment, do not reuse the same key across environments, and never commit the resulting .env file.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo