Laravel debug mode enabled (Invicti IAST)
Description
The Laravel application is running with debug mode enabled, which causes detailed error messages, stack traces, and application internals to be displayed when errors occur. Debug mode is intended for development environments only and should never be enabled in production. This setting is controlled by the APP_DEBUG environment variable in the .env file, which is referenced by the debug option in config/app.php. When disabled, users see only generic error pages without sensitive technical details.
Remediation
Disable debug mode immediately in all production and staging environments by setting the APP_DEBUG environment variable to false in your .env file:
# .env APP_DEBUG=false
After making this change, clear the application cache to ensure the new configuration takes effect:
php artisan config:clear php artisan cache:clear
Verify the change by triggering a test error and confirming that only a generic error page is displayed. Additionally, ensure your .env file is never committed to version control and is listed in .gitignore. For development environments, keep debug mode enabled locally but use environment-specific configuration management to prevent accidental deployment with debug enabled.