# Making sure Laravel's debug mode is always disabled in production

Recently, people started talking about a malware called  “Androxgh0st” specifically targeting Laravel apps. In a recent edition of [Securing Laravel](https://securinglaravel.com),  Stephen Rees-Carter wrote [a good explanation](https://securinglaravel.com/p/laravel-security-androxgh0st-malware) of how it works. 

The malware targets apps with `APP_DEBUG` set to `true`. When enabled, Laravel will give detailed error messages, and some security features will be disabled. In production, you always want this value to be set to `false`.

You can make sure it's always set to' false' using Oh Dear’s [application monitoring](https://ohdear.app/features/application-health-monitoring) feature. We can notify you whenever someone should set it to `true`. Let’s go through the steps required to set this up.

### Installing Laravel Health in your Laravel app

The [spatie/laravel-health package](https://spatie.be/docs/laravel-health) can monitor the health of your application by registering one of [the available checks](https://spatie.be/docs/laravel-health/v1/available-checks/overview). Out of the box, it can monitor if your application is in debugging mode.

Using Laravel Health, you can check many other things, such as [used disk space](), whether or not [Horizon is running](), and [much more]!

You can install the package using composer.

```php
composer require spatie/laravel-health
```

You’ll find full installation instructions [here](https://spatie.be/docs/laravel-health/v1/installation-setup).

To register the debug mode check, you can put this code in a service provider.

```php
// typically, in a service provider

use Spatie\Health\Facades\Health;
use Spatie\Health\Checks\Checks\UsedDiskSpaceCheck;

Health::checks([
   DebugModeCheck::new(),
   
   // other checks can come here
]);
```


### Adding a health check endpoint to your Laravel app

Oh Dear’s application health check works by sending an HTTP request to your application to a specific endpoint to get health check results. Your application should respond with JSON containing the result of health checks.

The spatie/laravel-health package can add such an endpoint to your Laravel app. To do this, must configure the `ohdear_endpoint_key` in the `health` config file.

You can publish that `health` with this command:

```bash
php artisan vendor:publish --tag="health-config"
```

These are some of the default values in the published `health` config file.

```php
// in app/config/health.php

/*
 * You can let Oh Dear monitor the results of all health checks. This way, you'll
 * get notified of any problems even if your application goes totally down. Via
 * Oh Dear, you can also have access to more advanced notification options.
 */
'oh_dear_endpoint' => [
    'enabled' => false,

    /*
     * When this option is enabled, the checks will run before sending a response.
     * Otherwise, we'll send the results from the last time the checks have run.
     */
    'always_send_fresh_results' => true,

    /*
     * The secret that is displayed at the Application Health settings at Oh Dear.
     */
    'secret' => env('OH_DEAR_HEALTH_CHECK_SECRET'),

    /*
     * The URL that should be configured in the Application health settings at Oh Dear.
     */
    'url' => '/oh-dear-health-check-results',
],
```

To get started:

- set the `enabled` config option to `true`
- add a `secret` (we recommend putting it in the `.env` file, just like you would do for any application secret or password)
- optionally customize the `url` where the health check endpoint will be registered.

### Configuring the health check at Oh Dear

At Oh Dear, you can create a new site to monitor and enable the application health check.

In the application health check settings screen at Oh Dear, you should fill in the URL and secret that you specified in the `health` config file.

![Oh Dear Application health settings with Health Report URL and Health Report Secret fields](/media/blog/u87FnLilDHErJuldBRJuhH838GnpFMHAqVyZqgW0.jpg)

And with this set up, Oh Dear will send you a notification whenever somebody should set `APP_DEBUG` to `true`.

## In closing

Oh Dear’s [application health check](https://ohdear.app/docs/features/application-health-monitoring) can be used to warn you whenever somebody turns on debugging mode of your app, but also a lot more other things can be checked: 

- disk space is running low
- the database is down
- Redis cannot be reached
- mails cannot be sent
- a reboot of your app is required
- ...

Disabling debug mode is one step; you can also [monitor your Laravel app for critical vulnerabilities](/news-and-updates/how-to-monitor-your-laravel-app-for-critical-vulnerabilities-using-oh-dear).

Next to this application health check, we also offer [a scheduled jobs check](https://ohdear.app/docs/features/cron-job-monitoring). You can sync your application's schedule to Oh Dear using the [spatie/laravel-schedule-monitor](https://github.com/spatie/laravel-schedule-monitor) package. We can notify you whenever a scheduled task is not running on time or not running at all.