Sample reportBook an audit
Case studies / Config & secrets
Secrets and debug mode in production

Fintech MVP, Laravel 11

Redacted case study. How a pre-launch configuration audit found live API credentials in the repository and stack traces leaking to end users.

Padlock on a laptop with light trails
9
findings
3
critical
3 days
turnaround

The challenge

A fintech startup was days from onboarding its first paying customers when the CTO requested an emergency audit ahead of an investor demo. The app processed real financial data.

The approach

A three-day Sprint focused on configuration hardening, secrets management, and authentication — the areas most likely to surface immediate compliance blockers.

What we found

Debug mode was enabled in production, exposing full stack traces including database credentials to any user who triggered an error:

# production .env — flagged APP_ENV=production APP_DEBUG=true STRIPE_SECRET=sk_live_... # fix APP_ENV=production APP_DEBUG=false STRIPE_SECRET= # rotated and sourced from Vault

The .env file was also accessible via a misconfigured web server and a copy had been committed to the repository, exposing the Stripe live key to anyone with repo access.

The result

Debug disabled, secrets rotated before the investor review, .env removed from git history and blocked at the web root. App launched clean.

Get the same review for your app.

Book an AI-Code Audit Sprint.

Book an auditSee a sample report