Harden your Laravel app in 10 minutes
The five misconfigurations Nexus flags most often in production Laravel deployments — and the exact fix for each.
Most Laravel breaches don't start with a clever exploit — they start with a setting left on the default. Here are the five issues the Nexus web & app audit flags most often, in order of how dangerous they are.
1. APP_DEBUG=true in production
Debug mode leaks stack traces, environment variables and database credentials straight to any visitor who triggers an error. Set it to false and cache your config.
APP_DEBUG=false
php artisan config:cache2. A readable .env
If /.env is reachable over HTTP, everything is over. Make sure your document root is public/ and add a deny rule as defense in depth.
3. Weak or default database credentials
- Never ship root/root or app/secret to production.
- Use a least-privilege DB user scoped to one schema.
- Rotate credentials when a developer leaves.
4. Leaked frontend secrets
Anything prefixed NEXT_PUBLIC_ or baked into a compiled bundle is public. Keep API keys server-side and proxy requests through your backend.
5. Exposed source maps
Production source maps hand attackers your original code. Disable them in your build, or restrict them to authenticated internal users.
Nexus checks all five automatically and scores your site 0–100, so you can watch the number climb as you fix each one.