Secure .env File in Laravel

In the root of any Laravel folder there should be .env file which contains various settings, in KEY=VALUE pair format.

This file is important because it contains different environments’ definitions (dev, stage, production) and a security risk in the event an intruder gains access to the file.

If you don’t configure well, anyone can access yourdomain.com/.env file and read its content.

Following these steps to secure the file:

Setup domain’s root folder

The proper way to run Laravel app is to map a domain to public folder. After that, no one can view the files in the root folder of Laravel, which means that your.env file is already protected, as well your entire application.

Ignore in source control

As I mentioned above, this file is different from each environments, so it is better to avoid committing this file. And this would be a security risk in case there is data breach in your source control repository.

Block access in .htaccess

Adding these lines in your .htaccess file to block access to .env file.

<FilesMatch "^\.env">
    Order allow,deny
    Deny from all
</FilesMatch>

Leave a Comment

Your email address will not be published. Required fields are marked *

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close