Fix Security Misconfiguration in Spiral

Spiral's high-performance architecture is a double-edged sword. Default configurations often prioritize developer velocity over production hardening. A common 'Security Misconfiguration' involves leaving the Snapshot debugger active or exposing verbose error handlers. In production, this turns your stack traces into a roadmap for attackers, leaking environment variables and internal file structures.

The Vulnerable Pattern

// .env file
DEBUG=true
// app/src/App.php or a custom Bootloader
protected const LOAD = [
Framework\DebugBootloader::class, // Always loaded regardless of environment
// …
];
// In HttpConfig
‘exposeErrors’ => true,

The Secure Implementation

Leaving DEBUG=true triggers the Spiral Snapshot system, which renders full stack traces, including sensitive environment variables and source code context. To harden the application: 1. Ensure DEBUG is false in production .env. 2. Use EnvironmentInterface to conditionally load the DebugBootloader. 3. Explicitly disable 'exposeErrors' in HttpConfig for production. 4. Ensure the RoadRunner RPC interface is bound to 127.0.0.1 in the .rr.yaml to prevent external orchestration attacks.

// .env file (Production)
DEBUG=false
ENV=production
// app/src/App.php - Conditional loading
protected function defineBootloaders(): array {
$bootloaders = [
// Core bootloaders
];
if ($this->env->get('DEBUG')) {
    $bootloaders[] = Framework\DebugBootloader::class;
}

return $bootloaders;
}
// In app/src/Bootloader/ExceptionHandlerBootloader.php
public function boot(HttpConfig $http, EnvironmentInterface $env): void {
$http->setExposeErrors($env->get(‘DEBUG’, false));
}