Whoops error handler component detected
Description
The web application has the Whoops error handler component enabled in a production environment. Whoops is a debugging library designed for development that displays detailed error pages including stack traces, environment variables, request parameters, and application source code when exceptions occur. This verbose error reporting should only be used during development and poses a security risk when exposed to end users.
Remediation
Disable Whoops error handling in production environments and implement generic error pages for end users. Configure the application to log detailed errors server-side for debugging purposes while displaying user-friendly error messages without technical details.
For PHP applications using Whoops, ensure it is only registered in development environments:
if (getenv('APP_ENV') === 'development') {
$whoops = new \Whoops\Run;
$whoops->pushHandler(new \Whoops\Handler\PrettyPageHandler);
$whoops->register();
} else {
// Use production error handler with generic messages
ini_set('display_errors', '0');
error_reporting(E_ALL);
// Log errors to file instead
ini_set('log_errors', '1');
ini_set('error_log', '/var/log/app/errors.log');
}Additionally, remove Whoops from production dependencies by placing it in the development section of your dependency manager (e.g., require-dev in composer.json). Implement custom error pages that provide helpful guidance to users without revealing system internals.