Menu
I moved my project to HOST but I can still access .env with address mysite.com/.env and display this file with all variables and secure data. my .env file :
APP_ENV=local
APP_DEBUG=true
APP_KEY=base64:xxxxxxx
APP_URL=http://localhost
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=xx
DB_USERNAME=xx
DB_PASSWORD=secret
CACHE_DRIVER=file
SESSION_DRIVER=file
QUEUE_DRIVER=sync
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
MAIL_DRIVER=smtp
MAIL_HOST=mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
How I can protect this file? And this is the logical solution?
note : (I move all files public folder in root directory.)
382
As . env files are stored in plain-text (not just environment variables in memory), they are at risk of being read by unauthorized users with no audit trail in terms of access and changes made.
So the necessary permission is 0600 which makes it accessible on the website but not through URL.
env file resides outside the public folder so it should not be visible from outside world if the server is configured to see the public folder as document root.
Using environment variables is a somewhat common practice during Development but it is actually not a healthy practice to use with Production. While there are several reasons for this, one of the main reasons is that using environment variables can cause unexpected persistence of variable values.
Create .htaccess file in your Root Directory and put following Code.
#Disable index view
options -Indexes
#hide a Specifuc File
<Files .env>
order allow,deny
Deny from all
</Files>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
