Reputation: 2121
Prevent public access to env file
I just found that Laravel 5 may output sensitive data and can lead to further exploitation of many hosts:
https://www.google.com/search?q=intext%3ADB_PASSWORD+ext%3Aenv&gws_rd=ssl
I want to know the way to secure my .env file. Can I use below code in .htaccess file to protect my .env file from browser view?
# Protect .env
<Files .env>
Order Allow,Deny
Deny from all
</Files>
Will my above code in .htaccess work and protect my .env file?
Upvotes: 10
Views: 17280
Answers (6)
Reputation: 11
This worked for me. Just go into the root folder (using SSH terminal).
cd ./youre_project
After chmod 700 .env
If you try to access .env file from public url you will got:
https://youre_profject.com/.env
Forbidden
You don't have permission to access this resource.
Upvotes: -1
Reputation: 43
Hello you can create a
.htaccess
file at the same place and write the below code.
# Disable index view
Options -Indexes
# Hide a specific file
<Files .env>
Order allow,deny
Deny from all
</Files>
Upvotes: 3
Reputation: 143
If you execute the
config:cache
command during your deployment process, you should be sure that you are only calling the env function from within your configuration files. Once the configuration has been cached, the .env file will not be loaded and all calls to the env function will return null.
so in the live server, you can delete .env file after you execute config:cache command
Upvotes: 2
Reputation: 6730
I'd like to point out your solution only helps on shielding the actual .env file. When enabling debug mode, while using the Whoops handler (and other error handlers possibly as well), the environment variables will also be shown to the visitor when an error occurs (this can even be a 404).
To sum up what others have said in this thread. An .env file is a security issue if:
- You've installed laravel inside the publicly available directory, this can be public, www or public_html for instance. Make sure the folder public, contained in the laravel installation is the only folder made public through the webserver. Alternatively you can protect the .env file using .htaccess; but that's not an actual solution.
- You've enabled debug mode and the error handler shows a debug mode with all environment variables. Disable debug mode or configure it so it will only be enabled for specific users or ips. This prevents sharing environment variables on debug pages.
Upvotes: 0
Reputation: 2970
This isn't a vulnerability, and isn't even remotely an issue provided someone installs Laravel correctly - the webroot is the public folder, not the repository/project root.
The config files and .env file in laravel are not contained in the webroot, therefore you only need to ensure your webroot is path/to/project/public.
The google query you provided is literally just a bunch of people who didn't read the documentation before installing Laravel.
Upvotes: 9
Reputation: 5760
IMHO best way to protect a config file from browsing is to put it outside of the public dir. Protecting it via .htaccess could be deceptive, if something fails your file will become publicly available.
Upvotes: 0
Related Questions
- Prevent access to .env file in Apache server?
- How to protect .env file in Laravel
- How to secure .env file in laravel using file permission?
- CodeIgniter 4: How to protect .env from public view?
- Laravel deny access to /public directory
- How can I protect path of my public folder in Laravel
- How to secure .env file in laravel 5.4?
- Host laravel on public_html and avoid people to access files
- restrict access on public folder in laravel 4.2
- Laravel 4: prevent access to any file or folder except public