How to Fix Debug Mode Enabled in Production Laravel
APP_DEBUG=true in production exposes stack traces, environment variables, and database credentials. Learn how to disable it safely.
The Problem
Having APP_DEBUG=true in production exposes detailed error pages that reveal your environment variables, database credentials, file paths, and full stack traces to anyone who triggers an error. This is the most common Laravel security misconfiguration and gives attackers a complete blueprint of your application internals. Laravel Ignition debug pages are regularly indexed by search engines.
How to Fix
-
1
Set APP_DEBUG to false in your .env file
Open your production .env file and change:
{{ trim($paragraph)); ?>{{ trim($paragraph)); ?> -
2
Clear the configuration cache
After changing the .env value, clear and rebuild the config cache:
{{ trim($paragraph)); ?>This ensures Laravel reads the updated value. Without clearing the cache, Laravel may continue using the cached debug=true setting.
-
3
Configure proper error logging
With debug mode off, you need proper error logging to catch issues. Configure your .env:
{{ trim($paragraph)); ?>For production monitoring, add an external service in config/logging.php:
{{ trim($paragraph)); ?> -
4
Set up custom error pages
Create user-friendly error pages so visitors see a professional page instead of a blank screen. Create these Blade files:
resources/views/errors/404.blade.php resources/views/errors/500.blade.php resources/views/errors/503.blade.php
Each should extend your app layout and show a helpful message without revealing technical details.
How to Verify
Visit a URL that does not exist on your site (e.g., yourdomain.com/this-page-does-not-exist). You should see a generic 404 page, not a Symfony or Ignition debug screen. Also verify with curl:
curl -s https://yourdomain.com/trigger-error | grep -i "whoops\|ignition\|debug\|stack trace"This command should return nothing.
Prevention
Never set APP_DEBUG in your production deployment pipeline. Use environment-specific .env files and add APP_DEBUG=true to your .env.example with a comment warning against using it in production. Monitor with StackShield to catch accidental debug mode activation after deployments.
Frequently Asked Questions
What information does debug mode expose?
Debug mode exposes your full .env contents (database credentials, API keys, APP_KEY), complete stack traces with file paths, server PHP version, installed package versions, SQL queries, and request data. This is enough for an attacker to fully compromise your application.
Can I have debug mode on for specific IPs only?
Laravel does not support IP-based debug mode natively. Instead, use Laravel Telescope for debugging in production with authentication. Install it with composer require laravel/telescope, then restrict access in TelescopeServiceProvider using the gate() method to allow only admin users.
How do developers accidentally enable debug mode in production?
The most common causes are: copying .env.example (which has APP_DEBUG=true) to .env on the server, enabling debug temporarily to troubleshoot and forgetting to disable it, and deployment scripts that do not set environment-specific values. A cached config with debug=true persists even after changing .env until you run config:clear.
Related Security Terms
Related Guides
How to Fix an Exposed .env File in Laravel
Your Laravel .env file is publicly accessible, exposing database credentials and API keys. Learn how to block access and secure your secrets.
How to Fix an Exposed Laravel Telescope Dashboard
Your Laravel Telescope dashboard is publicly accessible in production, exposing requests, queries, and application data. Secure it now.
How to Fix Exposed Laravel Ignition Error Pages
Laravel Ignition error pages are visible in production, leaking stack traces and environment details. Learn how to disable them.
Detect This Automatically with StackShield
StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.
Start Free Trial