Making sure Laravel's debug mode is always disabled in production

Recently, people started talking about a malware called “Androxgh0st” specifically targeting Laravel apps. In a recent edition of Securing Laravel, Stephen Rees-Carter wrote a good explanation of how it works.

The malware targets apps with APP_DEBUG set to true. When enabled, Laravel will give detailed error messages, and some security features will be disabled. In production, you always want this value to be set to false.

You can make sure it's always set to' false' using Oh Dear’s application monitoring feature. We can notify you whenever someone should set it to true. Let’s go through the steps required to set this up.

Installing Laravel Health in your Laravel app

The spatie/laravel-health package can monitor the health of your application by registering one of the available checks. Out of the box, it can monitor if your application is in debugging mode.

Using Laravel Health, you can check many other things, such as used disk space, whether or not Horizon is running, and [much more]!

You can install the package using composer.

composer require spatie/laravel-health

You’ll find full installation instructions here.

To register the debug mode check, you can put this code in a service provider.

// typically, in a service provider

use Spatie\Health\Facades\Health;
use Spatie\Health\Checks\Checks\UsedDiskSpaceCheck;

   // other checks can come here

Adding a health check endpoint to your Laravel app

Oh Dear’s application health check works by sending an HTTP request to your application to a specific endpoint to get health check results. Your application should respond with JSON containing the result of health checks.

The spatie/laravel-health package can add such an endpoint to your Laravel app. To do this, must configure the ohdear_endpoint_key in the health config file.

You can publish that health with this command:

php artisan vendor:publish --tag="health-config"

These are some of the default values in the published health config file.

// in app/config/health.php

 * You can let Oh Dear monitor the results of all health checks. This way, you'll
 * get notified of any problems even if your application goes totally down. Via
 * Oh Dear, you can also have access to more advanced notification options.
'oh_dear_endpoint' => [
    'enabled' => false,

     * When this option is enabled, the checks will run before sending a response.
     * Otherwise, we'll send the results from the last time the checks have run.
    'always_send_fresh_results' => true,

     * The secret that is displayed at the Application Health settings at Oh Dear.
    'secret' => env('OH_DEAR_HEALTH_CHECK_SECRET'),

     * The URL that should be configured in the Application health settings at Oh Dear.
    'url' => '/oh-dear-health-check-results',

To get started:

  • set the enabled config option to true
  • add a secret (we recommend putting it in the .env file, just like you would do for any application secret or password)
  • optionally customize the url where the health check endpoint will be registered.

Configuring the health check at Oh Dear

At Oh Dear, you can create a new site to monitor and enable the application health check.

In the application health check settings screen at Oh Dear, you should fill in the URL and secret that you specified in the health config file.

And with this set up, Oh Dear will send you a notification whenever somebody should set APP_DEBUG to true.

In closing

Oh Dear’s application health check can be used to warn you whenever somebody turns on debugging mode of your app, but also a lot more other things can be checked:

  • disk space is running low
  • the database is down
  • Redis cannot be reached
  • mails cannot be sent
  • a reboot of your app is required
  • ...

Next to this application health check, we also offer a scheduled jobs check. You can sync your application's schedule to Oh Dear using the spatie/laravel-schedule-monitor package. We can notify you whenever a scheduled task is not running on time or not running at all.

More updates

Want to get started? We offer a no-strings-attached 30 day trial. No credit card required.

Start monitoring

You're all set in
less than a minute!