debugKit safe list [solved]

cakephp 4.3

2021-05-18 06:44:43 Warning: DebugKit is disabling itself as your host is not in the known safe list of top-level-domains (localhost, invalid, test, example, local,

'debug' => filter_var(env('DEBUG', true), FILTER_VALIDATE_BOOLEAN),

My domain is in the safe list (in application :
Configure::write(‘DebugKit.safeTld’, [‘’]);

cakephp 4.3 is installed in subdomain :

I’m not familiar with the tld config option, but looking at the source code and the documentation, you can only specify a “top level domain” (TLD) as a value. That means com, net, dev etc. You cannot specify a full URL.

Valid value would be

// Allow e.g. or http://my-shop.local domains locally
Configure::write('DebugKit.safeTld', ['dev', 'local', 'example']);

Read more in the CakePHP cook book

If you’re trying to enable DebugKit on a public/production domain, I’d recommend against that. DebugKit gives out a lot of information that should not be public.

Thank you for replying.
I’m trying to make it work.
I tried several changes but still not working.

What are some things you are trying? Is the domain you want to access local or online?

If you want to access my_domain.local, you’ll need the following configuration:

// Allow http://my-shop.local domains locally
Configure::write('DebugKit.safeTld', ['local']);

If you want, you’ll need this, but do remember my warning about showing non-public information to the public if you are using this online.

// Allow domains locally
Configure::write('DebugKit.safeTld', ['com']);

It didn’t look like it, but DebugKit might have some safe-guarding denying you from using the popular TLDs like com and net etc.

Remember to write this configuration before loading DebugKit.

// Allow http://my-shop.local domains locally
Configure::write('DebugKit.safeTld', ['local']);

Thank you for solving my problem.
But I think it’s a strange behavior.
Just writing ‘com’ or ‘fr’ (in my case) does not add much security I think.

Thank you very much again.

Adding com or fr is indeed not a safe thing to do in general. If you know what you’re doing, and make sure that setting never gets to a production site, then it’s okay, but be very careful with it.