DEV Community

Laravel .env Files Exposed In Browsers

Shahroz Nawaz on January 03, 2019

What would be your secure directory structure when working with Laravel framework. The sensitive files like .env should not be exposed in the brows...
Collapse
 
philnash profile image
Phil Nash

Oh wow! That's horrifying. Do you think it's only Laravel's fault, dotenv is a popular pattern for multiple languages. I first came across dotenv in Ruby where it wasn't initially recommended for production.

Is this because those sites' web servers are set to serve the Laravel project root and should be doing something else?

Collapse
 
joppedc profile image
JoppeDC

As a symfony user, we also use dotenv. But, when deploying to production the .env file is removed and the variables are saved in actual enviroment var's. That would be the best way to do it i think.

Collapse
 
philnash profile image
Phil Nash

Agreed that this would be the best way. Iā€™m a little concerned if Laravel itself is mandating using the .env file in production.

Collapse
 
_shahroznawaz profile image
Shahroz Nawaz • Edited

Hey, I'm little confused on "actual environment var's". can you show a little example of symfony how you do this without .env file? :)

Thread Thread
 
philnash profile image
Phil Nash

Environment variables are set within the OS itself and the application then reads them (via getenv or $_ENV in PHP, I believe). My colleague Dominik wrote a great post about how to set environment variables on different platforms which you might be interested in.

Thread Thread
 
joppedc profile image
JoppeDC

Correct, that is what i meant. The dotenv file (at least in symfony), is used for local development. Once you deploy a symfony project, it wil check if you removed the .env file. If the file still exists, your app will throw an error, thus making it so people HAVE to get rid of it.

Collapse
 
_shahroznawaz profile image
Shahroz Nawaz

No, It's not Laravel's fault. They recommend to setup webroot properly to /public. even specifying some htaccess rules also but this happened at developers end :D They need to secure it properly.

Collapse
 
joppedc profile image
JoppeDC

Could be better. Symfony checks for the env file, and if its there, it won't even run on production mode, only dev mode

Thread Thread
 
philnash profile image
Phil Nash

That makes more sense.

Collapse
 
philnash profile image
Phil Nash

Thing is, if you make it possible to expose credentials, but document how to avoid it, someone (many people, according to that Google search) will expose them.

It's up to the framework to build this such that developers can't make this mistake.

Collapse
 
rhymes profile image
rhymes

That's a really bad practice. The whole point about dotenv is to use env variables when deployed to a server. Env files shouldn't be in the repository in the first place šŸ˜­