In the root of any Laravel folder there should be .env file which contains various settings, in KEY=VALUE pair format.
This file is important because it contains different environments’ definitions (dev, stage, production) and a security risk in the event an intruder gains access to the file.
If you don’t configure well, anyone can access yourdomain.com/.env file and read its content.
Following these steps to secure the file:
Table of Contents
Setup domain’s root folder
The proper way to run Laravel app is to map a domain to public folder. After that, no one can view the files in the root folder of Laravel, which means that your.env
file is already protected, as well your entire application.
Ignore in source control
As I mentioned above, this file is different from each environments, so it is better to avoid committing this file. And this would be a security risk in case there is data breach in your source control repository.
Block access in .htaccess
Adding these lines in your .htaccess file to block access to .env file.
<FilesMatch "^\.env">
Order allow,deny
Deny from all
</FilesMatch>