How do I use HiddenString in Laravel to protect API keys or database credentials?

Wrap sensitive strings in a `HiddenString` object where they’re used, like `new HiddenString(config('services.api_key'))`. This prevents accidental exposure in logs or stack traces. For example, inject it into service constructors or validation rules instead of passing raw strings.

Will HiddenString work with Laravel’s config() helper or environment variables?

Yes, but you must manually wrap the output. For example, replace `config('services.stripe_key')` with `new HiddenString(config('services.stripe_key'))`. Avoid logging or dumping the `HiddenString` object directly, as it may still leak in some contexts like serialization.

Does this package support Laravel 10 (PHP 8.0+) or older versions?

It requires **PHP 7+**, so it works with Laravel 5.5+ (PHP 7.1+) through Laravel 10 (PHP 8.0+). No Laravel-specific dependencies mean it integrates seamlessly across versions, but test thoroughly in your target environment.

How can I ensure HiddenString doesn’t accidentally leak in Laravel logs or stack traces?

Avoid logging or dumping `HiddenString` objects directly. Use methods like `getBytes()` for controlled output or implement custom log handlers to mask sensitive data. Tools like Laravel Debugbar or Sentry may need configuration to handle `HiddenString` gracefully.

Can I use HiddenString with Laravel’s encryption (e.g., Encrypter) for storing secrets?

Yes, pair it with Laravel’s `Encrypter` for storage. For example, decrypt a value with `Encrypter::decrypt($value)` and wrap it in `new HiddenString()`. This ensures secrets remain protected in memory while leveraging Laravel’s built-in encryption for persistence.

What’s the performance impact of using HiddenString in high-traffic Laravel apps?

The overhead is minimal—just object wrapping/unwrapping. Benchmark in your specific use case (e.g., bulk operations), but for most Laravel apps, the impact is negligible. It’s optimized for security, not performance.

How do I test HiddenString in Laravel unit tests without exposing secrets?

Use `HiddenString::fromPlaintextString()` for test setup, but avoid hardcoding secrets in tests. Mock dependencies that require `HiddenString` and verify interactions without exposing real values. Assertions should focus on behavior, not the hidden string’s content.

Are there alternatives to HiddenString for Laravel that offer similar security?

Laravel’s `Str::of()` or `Encrypter` handle some cases, but neither prevents leaks in logs/stack traces. For dedicated secret masking, consider `paragonie/hidden-string` or libraries like `ramsey/uuid` (for tokens) paired with custom masking logic. HiddenString is lightweight and focused on this specific risk.

Can I use HiddenString in Laravel Blade templates or Eloquent models?

Avoid rendering `HiddenString` directly in Blade (e.g., `{{ $secret }}`). Use `{{ $secret->getBytes() }}` sparingly or implement custom Blade directives to mask output. For Eloquent, store `HiddenString` in attributes but ensure serialization (e.g., `toJson()`) doesn’t expose secrets.

How do I migrate existing Laravel apps to use HiddenString for secrets?

Start with high-risk areas like API keys or tokens. Replace raw strings with `HiddenString` in constructors, services, or validation. Use a phased approach: pilot in critical services, then standardize via helpers (e.g., `hidden(config('secret'))`). Audit logs and stack traces to catch leaks early.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Hidden String Laravel Package

paragonie/hidden-string

HiddenString provides a small PHP utility for handling sensitive strings more safely in memory. Extracted from ParagonIE Halite, it helps reduce accidental exposure via debugging/serialization by wrapping secret values in an object. Requires PHP 7+.

View on GitHub

Deep Wiki

Context7

paragonie/hidden-string provides a small, focused HiddenString value object (extracted from Halite) for handling sensitive strings in PHP while minimizing accidental exposure in logs, debugging output, or serialization. It’s designed for security-conscious code that needs to pass secrets around without treating them like ordinary strings.

Wrap secrets (e.g., API keys, passwords) in a dedicated HiddenString container
Reduce accidental leakage via safer string handling and representation
Simple, lightweight dependency with a clear, minimal API
Suitable for cryptography-adjacent workflows and security tooling
Requires PHP 7+

Frequently asked questions about Hidden String

How do I use HiddenString in Laravel to protect API keys or database credentials?: Wrap sensitive strings in a `HiddenString` object where they’re used, like `new HiddenString(config('services.api_key'))`. This prevents accidental exposure in logs or stack traces. For example, inject it into service constructors or validation rules instead of passing raw strings.
Will HiddenString work with Laravel’s config() helper or environment variables?: Yes, but you must manually wrap the output. For example, replace `config('services.stripe_key')` with `new HiddenString(config('services.stripe_key'))`. Avoid logging or dumping the `HiddenString` object directly, as it may still leak in some contexts like serialization.
Does this package support Laravel 10 (PHP 8.0+) or older versions?: It requires **PHP 7+**, so it works with Laravel 5.5+ (PHP 7.1+) through Laravel 10 (PHP 8.0+). No Laravel-specific dependencies mean it integrates seamlessly across versions, but test thoroughly in your target environment.
How can I ensure HiddenString doesn’t accidentally leak in Laravel logs or stack traces?: Avoid logging or dumping `HiddenString` objects directly. Use methods like `getBytes()` for controlled output or implement custom log handlers to mask sensitive data. Tools like Laravel Debugbar or Sentry may need configuration to handle `HiddenString` gracefully.
Can I use HiddenString with Laravel’s encryption (e.g., Encrypter) for storing secrets?: Yes, pair it with Laravel’s `Encrypter` for storage. For example, decrypt a value with `Encrypter::decrypt($value)` and wrap it in `new HiddenString()`. This ensures secrets remain protected in memory while leveraging Laravel’s built-in encryption for persistence.
What’s the performance impact of using HiddenString in high-traffic Laravel apps?: The overhead is minimal—just object wrapping/unwrapping. Benchmark in your specific use case (e.g., bulk operations), but for most Laravel apps, the impact is negligible. It’s optimized for security, not performance.
How do I test HiddenString in Laravel unit tests without exposing secrets?: Use `HiddenString::fromPlaintextString()` for test setup, but avoid hardcoding secrets in tests. Mock dependencies that require `HiddenString` and verify interactions without exposing real values. Assertions should focus on behavior, not the hidden string’s content.
Are there alternatives to HiddenString for Laravel that offer similar security?: Laravel’s `Str::of()` or `Encrypter` handle some cases, but neither prevents leaks in logs/stack traces. For dedicated secret masking, consider `paragonie/hidden-string` or libraries like `ramsey/uuid` (for tokens) paired with custom masking logic. HiddenString is lightweight and focused on this specific risk.
Can I use HiddenString in Laravel Blade templates or Eloquent models?: Avoid rendering `HiddenString` directly in Blade (e.g., `{{ $secret }}`). Use `{{ $secret->getBytes() }}` sparingly or implement custom Blade directives to mask output. For Eloquent, store `HiddenString` in attributes but ensure serialization (e.g., `toJson()`) doesn’t expose secrets.
How do I migrate existing Laravel apps to use HiddenString for secrets?: Start with high-risk areas like API keys or tokens. Replace raw strings with `HiddenString` in constructors, services, or validation. Use a phased approach: pilot in critical services, then standardize via helpers (e.g., `hidden(config('secret'))`). Audit logs and stack traces to catch leaks early.

View on GitHub

Stars

Favorites

Forks

Score

21.9

License

MPL-2.0

Last release

May 8, 2024

Watchers

Downloads

419K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

milesj/emojibase

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport