DEV Community

Waqar Hussain
Waqar Hussain

Posted on

your Laravel app is not safe?

Is your Laravel app safe?

No, if you forgot to adjust the .htaccess file to stop displaying the .env file in a browser.

Just check the .htaccess file if you are blocking access to directory indexing and the .env file as well.

visit you www.example.com/path/to/laravel/.env in browser

if you can access it :D , no need to worry.

Just add this code in your .htaccess file

# Disable index view
Options -Indexes

# Hide a specific file
<Files .env>
    Order allow,deny
    Deny from all
</Files>
Enter fullscreen mode Exit fullscreen mode

just update it as soon as you can.

This will do what comments are suggesting inside code.

Sorry for my bad English.

Discussion (4)

Collapse
joeczubiak profile image
Joe Czubiak

This should only happen if you have a misconfiguration on your server. The server should only allow access to the public folder, /public.

I think if you have to rely on your .htaccess then there is something else wrong with your configuration.

Also, if app_debug is set to true, you would be exposing your env.

Collapse
waqarhussain profile image
Waqar Hussain Author

okay, I am a newbie and had no idea about this, and uploaded the same files as I had in my development, would you recommend any guide on how to setup laravel project for production.

Collapse
joeczubiak profile image
Joe Czubiak

If you are using Forge or Envoyer for deployment, they both have a way to upload your environment variables.

Also, the .env file shouldn't be committed to your got repo or uploaded directly to your server.

I don't have any guides to recommend but I'm sure there are some out there.

Collapse
dopitz profile image
Daniel O.

The .env file is not thread safe and not considered for production. It's only for development purpose and not more.