Laravel .env Files Exposed In Browsers

_shahroznawaz profile image Shahroz Nawaz 惻1 min read

What would be your secure directory structure when working with Laravel framework. The sensitive files like .env should not be exposed in the browsers. It contains sensitive information like database, mail, payment API credentials.

I just google DB_USERNAME filetype:env and dang hundreds of .env files are exposed in the browser. How would you save that?

I did the tweet also: https://twitter.com/_shahroznawaz/status/1080393723412967424


markdown guide

Oh wow! That's horrifying. Do you think it's only Laravel's fault, dotenv is a popular pattern for multiple languages. I first came across dotenv in Ruby where it wasn't initially recommended for production.

Is this because those sites' web servers are set to serve the Laravel project root and should be doing something else?


As a symfony user, we also use dotenv. But, when deploying to production the .env file is removed and the variables are saved in actual enviroment var's. That would be the best way to do it i think.


Agreed that this would be the best way. Iā€™m a little concerned if Laravel itself is mandating using the .env file in production.


Hey, I'm little confused on "actual environment var's". can you show a little example of symfony how you do this without .env file? :)

Environment variables are set within the OS itself and the application then reads them (via getenv or $_ENV in PHP, I believe). My colleague Dominik wrote a great post about how to set environment variables on different platforms which you might be interested in.

Correct, that is what i meant. The dotenv file (at least in symfony), is used for local development. Once you deploy a symfony project, it wil check if you removed the .env file. If the file still exists, your app will throw an error, thus making it so people HAVE to get rid of it.


No, It's not Laravel's fault. They recommend to setup webroot properly to /public. even specifying some htaccess rules also but this happened at developers end :D They need to secure it properly.


Could be better. Symfony checks for the env file, and if its there, it won't even run on production mode, only dev mode


Thing is, if you make it possible to expose credentials, but document how to avoid it, someone (many people, according to that Google search) will expose them.

It's up to the framework to build this such that developers can't make this mistake.


That's a really bad practice. The whole point about dotenv is to use env variables when deployed to a server. Env files shouldn't be in the repository in the first place šŸ˜­