CODEWITHSUNDEEP
phplaravel-5
lock
lock

Reputation: 739

How to protect .env file in Laravel

I moved my project to HOST but I can still access .env with address mysite.com/.env and display this file with all variables and secure data. my .env file :

APP_ENV=local
APP_DEBUG=true
APP_KEY=base64:xxxxxxx
APP_URL=http://localhost

DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=xx
DB_USERNAME=xx
DB_PASSWORD=secret

CACHE_DRIVER=file
SESSION_DRIVER=file
QUEUE_DRIVER=sync

REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

MAIL_DRIVER=smtp
MAIL_HOST=mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

How I can protect this file? And this is the logical solution?

note : (I move all files public folder in root directory.)

Upvotes: 23

Views: 29983

Answers (7)

Rinshan Kolayil
Rinshan Kolayil

Reputation: 1139

I have tried the following steps to deploy Laravel in the shared hosting.

1 - Edit the /etc/apache2/apache2.conf in Ubuntu OS.

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All # Changed from None to All
        Require all granted
</Directory>

  1. Enable mod rewrite sudo a2enmod rewrite

  2. Edit or create .htaccess in the root (Public HTML folder)

     <Files ~ "\.(env|json|config.js|md|xml|gitignore|gitattributes|lock|editorconfig|yml|styleci.yml)$">
     Order allow,deny
     Deny from all
 </Files>
 Options -Indexes
 <Files ~ "(artisan|package.json|webpack.mix.js)$">
     Order allow,deny
     Deny from all
 </Files>

4 - Restart Apache server, sudo service apache2 restart

Note:- First two steps are used only on my own PC.

Upvotes: 9

Islam Elshawadfi
Islam Elshawadfi

Reputation: 21

move.htaccess from public folder and then you have paste this code in .htaccess file.

<Files .env> Order allow,deny Deny from all </Files>

Upvotes: 0

MANSOOR KOCHY
MANSOOR KOCHY

Reputation: 373

In my case when was I host my project in shared hosting my .env file was accessible, my folder structure was like this Root |+ App | App | config | Database | Routes | Storage | .env | ... | index.php | .htaccess |+ css |+ js

My .env file was accessible via this website.com/app/.env Solution Put all your public content to a folder name it public and change the root document path in settings [don't forget to change app.php path in index.php file] |+app |+public

bootrap.php file path should be like this /../app/vendor/autload.php & /../app/bootstrap/app.php

Upvotes: 0

daniel Warui
daniel Warui

Reputation: 336

You are probably looking for how to stop .env files from being served on apache hence read.

do this on the /etc/apache2/apache.conf file - Ubuntu. after this part of that file
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>

add the code below

# Hide a specific file
<Files .env>
    Order allow,deny
    Deny from all
</Files>

then restart your apache server with sudo service apache2 restart and enjoy!

Upvotes: 4

Karthik
Karthik

Reputation: 5757

Create .htaccess file in your Root Directory and put following Code.

#Disable index view
options -Indexes

#hide a Specifuc File

<Files .env>
order allow,deny
Deny from all
</Files>

Upvotes: 27

rizky redjo
rizky redjo

Reputation: 75

You should change permission all folder on your app to 741, except bootstrap and storage and public (755).

Upvotes: 1

Illia Yaremchuk
Illia Yaremchuk

Reputation: 2025

  1. All except the Public folder to move to a higher level, such as a folder laravel - http://prntscr.com/bryvu7

  2. Change file publi_html/index.php line

    require __DIR__.'/../bootstrap/autoload.php';

to

require __DIR__.'/../laravel/bootstrap/autoload.php';

And line

$app = require_once __DIR__.'/../bootstrap/app.php';

to

$app = require_once __DIR__.'/../laravel/bootstrap/app.php';
$app->bind('path.public', function() {
    return __DIR__;
});

  1. Change file laravel/server.php line

    require_once __DIR__.'/public/index.php';

to

require_once __DIR__.'/index.php';

Upvotes: 2

Related Questions