Menu
Laravel's official site recommends that we put the .env into gitignore and so to others.
Why? I feel it comes quite handy for future usage once you forget how you setup the configurations.
897
env files for my backend application and the usual recommendation is to put all . env files in gitignore to not share it in the repo and use something like Github Secrets to store the . env files.
env file should be committed to version control. The trouble is that blindly committing it creates a huge security risk. Here I discuss a few pointers on how to do so in a safe manner.
The . env file contains the individual user environment variables that override the variables set in the /etc/environment file. You can customize your environment variables as desired by modifying your . env file.
env files are a surrogate environment variable for local development only, but should never be committed to Git.
The answers here and many articles all said .env includes sensitive information so it should not be put in source control. But the thing is .env does not just include sensitive information, it may also contain typical setting configuration. You can just leave sensitive information out and keep all the other settings in git.
Some suggests put .env.example in git, I actually followed that for a while but found it quite “inconvenient”, especially for the guys who newly joined the team. When they check out the codes, they find codes can not run, then they just copy .env from other old guys (not from .env.example and make the necessary changes.) b/c for dev environment even the sensitive information like API key/DB password are shared.
Quite often the whole dev team will have one API key and one DB setting. I see this happened from time to time, which just makes me doubt the use of .env.example.
So now I use the practice of putting .env in git and put sensitive information in .env.local which is gitignored.
Ruby dotenv gem suggested this https://github.com/bkeepers/dotenv#what-other-env-files-can-i-use
Symfony 4 has also changed to this behavior
When I do nodejs project I also use a npm package called dotenv-flow to do that.
146
Your .env file contains very sensitive information (your app key at the very least). You do not want this in version control where everybody can see this information and possibly use it to attack your site.
Think about database information which might be stored in there or email keys or passwords. Furthermore it is likely that the information which you use in your .env file also needs to change between environments so you will need to change values anyways.
What should you instead do?
Make a file .env.example in this file you place all the keys of your .env.
ex.
APP_ENV=local
APP_DEBUG=true
APP_KEY=SomeRandomString
APP_URL=http://localhost
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=homestead
DB_USERNAME=homestead
DB_PASSWORD=secret
Here you can see a file in which all the necessary information for somebody that wants to use your code is available but none of the sensitive information. Then somebody can copy this .env.example to .env and change the values.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
