StackShield

How to Fix Exposed Laravel Ignition Error Pages

Laravel Ignition error pages are visible in production, leaking stack traces and environment details. Learn how to disable them.

Critical severity Application Security Updated 2026-03-01

The Problem

Exposed Ignition error pages display detailed stack traces, source code snippets, environment variables, and request data to anyone who triggers an error on your site. Ignition is Laravel's default error page handler during development, and when it appears in production it provides attackers with file paths, database credentials, package versions, and application architecture details.

How to Fix

  1. 1

    Disable debug mode in production

    {{ trim($paragraph)); ?>
    {{ trim($paragraph)); ?>

    Then clear and rebuild the cache:

    {{ trim($paragraph)); ?>
  2. 2

    Remove Ignition from production if not needed

    Move Ignition to dev-only dependencies:

    {{ trim($paragraph)); ?>

    When deploying with --no-dev flag, Ignition will not be installed:

    {{ trim($paragraph)); ?>
  3. 3

    Create custom error pages

    Create Blade templates for common HTTP errors so users see branded pages:

    resources/views/errors/404.blade.php:

    {{ trim($paragraph)); ?>

    Create similar pages for 500.blade.php and 503.blade.php.

  4. 4

    Configure error reporting to an external service

    Replace visible error pages with proper error tracking. Install Sentry or Flare:

    {{ trim($paragraph)); ?>

    Add to your .env:

    {{ trim($paragraph)); ?>
    {{ trim($paragraph)); ?>

How to Verify

Trigger a 500 error on your production site by visiting a broken route or temporarily throwing an exception. You should see your custom error page or a generic server error, not the Ignition debug screen. Test with:

curl -s https://yourdomain.com/non-existent-route | grep -i "ignition\|whoops\|stack trace"

This should return no matches.

Prevention

Deploy with composer install --no-dev to exclude debug packages. Add APP_DEBUG=false verification to your deployment pipeline. Use StackShield to continuously verify that Ignition pages are not exposed after deployments or configuration changes.

Frequently Asked Questions

What is the difference between Ignition and Whoops?

Ignition replaced Whoops as Laravel's default error page handler starting in Laravel 6. Ignition provides more features like solution suggestions and a stack trace viewer. Both expose the same critical information (environment variables, source code, queries) when visible in production.

Can Ignition be exploited beyond just information disclosure?

Yes. Older versions of Ignition (before 2.5.2) had a remote code execution vulnerability (CVE-2021-43617) that allowed attackers to execute arbitrary code through the Ignition debug endpoint. Always keep Ignition updated and never expose it in production.

Related Guides

Critical

How to Fix Debug Mode Enabled in Production Laravel

APP_DEBUG=true in production exposes stack traces, environment variables, and database credentials. Learn how to disable it safely.
Critical

How to Fix an Exposed Laravel Telescope Dashboard

Your Laravel Telescope dashboard is publicly accessible in production, exposing requests, queries, and application data. Secure it now.
Critical

How to Fix an Exposed .env File in Laravel

Your Laravel .env file is publicly accessible, exposing database credentials and API keys. Learn how to block access and secure your secrets.

Detect This Automatically with StackShield

StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.

Start Free Trial