Is your Laravel app safe?
No, if you forgot to adjust the .htaccess file to stop displaying the .env file in a browser.
Just check the .htaccess file if you are blocking access to directory indexing and the .env file as well.
visit you www.example.com/path/to/laravel/.env in browser
if you can access it :D , no need to worry.
Just add this code in your .htaccess file
# Disable index view
Options -Indexes
# Hide a specific file
<Files .env>
Order allow,deny
Deny from all
</Files>
just update it as soon as you can.
This will do what comments are suggesting inside code.
Sorry for my bad English.
Discussion (4)
This should only happen if you have a misconfiguration on your server. The server should only allow access to the public folder, /public.
I think if you have to rely on your .htaccess then there is something else wrong with your configuration.
Also, if app_debug is set to true, you would be exposing your env.
okay, I am a newbie and had no idea about this, and uploaded the same files as I had in my development, would you recommend any guide on how to setup laravel project for production.
If you are using Forge or Envoyer for deployment, they both have a way to upload your environment variables.
Also, the .env file shouldn't be committed to your got repo or uploaded directly to your server.
I don't have any guides to recommend but I'm sure there are some out there.
The .env file is not thread safe and not considered for production. It's only for development purpose and not more.