No, It's not Laravel's fault. They recommend to setup webroot properly to /public. even specifying some htaccess rules also but this happened at developers end :D They need to secure it properly.
Thing is, if you make it possible to expose credentials, but document how to avoid it, someone (many people, according to that Google search) will expose them.
It's up to the framework to build this such that developers can't make this mistake.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
No, It's not Laravel's fault. They recommend to setup webroot properly to /public. even specifying some htaccess rules also but this happened at developers end :D They need to secure it properly.
Could be better. Symfony checks for the env file, and if its there, it won't even run on production mode, only dev mode
That makes more sense.
Thing is, if you make it possible to expose credentials, but document how to avoid it, someone (many people, according to that Google search) will expose them.
It's up to the framework to build this such that developers can't make this mistake.