What would be your secure directory structure when working with Laravel framework. The sensitive files like .env should not be exposed in the brows...
For further actions, you may consider blocking this person and/or reporting abuse
Oh wow! That's horrifying. Do you think it's only Laravel's fault, dotenv is a popular pattern for multiple languages. I first came across dotenv in Ruby where it wasn't initially recommended for production.
Is this because those sites' web servers are set to serve the Laravel project root and should be doing something else?
As a symfony user, we also use dotenv. But, when deploying to production the .env file is removed and the variables are saved in actual enviroment var's. That would be the best way to do it i think.
Agreed that this would be the best way. Iām a little concerned if Laravel itself is mandating using the .env file in production.
Hey, I'm little confused on "actual environment var's". can you show a little example of symfony how you do this without .env file? :)
Environment variables are set within the OS itself and the application then reads them (via
getenvor$_ENVin PHP, I believe). My colleague Dominik wrote a great post about how to set environment variables on different platforms which you might be interested in.Correct, that is what i meant. The dotenv file (at least in symfony), is used for local development. Once you deploy a symfony project, it wil check if you removed the .env file. If the file still exists, your app will throw an error, thus making it so people HAVE to get rid of it.
That's a really bad practice. The whole point about dotenv is to use env variables when deployed to a server. Env files shouldn't be in the repository in the first place š