Reputation: 371
Why do people put the .env into gitignore?
Laravel's official site recommends that we put the .env into gitignore and so to others.
Why? I feel it comes quite handy for future usage once you forget how you setup the configurations.
Upvotes: 23
Views: 40668
Answers (4)
Reputation: 12445
The answers here and many articles all said .env includes sensitive information so it should not be put in source control. But the thing is .env does not just include sensitive information, it may also contain typical setting configuration. You can just leave sensitive information out and keep all the other settings in git.
Some suggests put .env.example in git, I actually followed that for a while but found it quite “inconvenient”, especially for the guys who newly joined the team. When they check out the codes, they find codes can not run, then they just copy .env from other old guys (not from .env.example and make the necessary changes.) b/c for dev environment even the sensitive information like API key/DB password are shared.
Quite often the whole dev team will have one API key and one DB setting. I see this happened from time to time, which just makes me doubt the use of .env.example.
So now I use the practice of putting .env in git and put sensitive information in .env.local which is gitignored.
Ruby dotenv gem suggested this https://github.com/bkeepers/dotenv#what-other-env-files-can-i-use
Symfony 4 has also changed to this behavior
When I do nodejs project I also use a npm package called dotenv-flow to do that.
--- update ---
python-dotenv supports this in an indirect way as I can load_dotenv from several env files and environment variables will be set based on the order they are loaded, e.g.
#if environment variables are set in both .env.local & .env,
#their values will be set based on .env.local
#if .env.local doesn't exist it won't complain.
load_dotenv('.env.local')
load_dotenv('.env')
Upvotes: 9
Reputation: 8361
The List of files added in .gitignore file will be discarded by Git and will not be uploaded/downloaded to/from Git repository
Main advantages of putting .env in .gitignore.
1) The .env file contains sensitive information about the project. Information like your Database Credentials, You Encryption Key, If your app is using any API then you can have API Keys/Access tokens can be loaded from the .env file and you might not want those credentials to be accessible to everyone who has access to the project.
2) The .env file contains specific settings which you might not want to have same on Production and Development Environment
Eg. On Development Environment you may keep APP_DEBUG = true where as for Production it's recommended to have APP_DEBUG=false. Similarly if your app is using any API(Payment Gateway) then you will have to use Test API Credentials for Development Environment and Live Credentials(which will result in actual online transaction) for Production Environment which can be managed well through .env file.
Upvotes: 0
Reputation: 5083
Your .env file contains very sensitive information (your app key at the very least). You do not want this in version control where everybody can see this information and possibly use it to attack your site.
Think about database information which might be stored in there or email keys or passwords. Furthermore it is likely that the information which you use in your .env file also needs to change between environments so you will need to change values anyways.
What should you instead do?
Make a file .env.example in this file you place all the keys of your .env.
ex.
APP_ENV=local
APP_DEBUG=true
APP_KEY=SomeRandomString
APP_URL=http://localhost
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=homestead
DB_USERNAME=homestead
DB_PASSWORD=secret
Here you can see a file in which all the necessary information for somebody that wants to use your code is available but none of the sensitive information. Then somebody can copy this .env.example to .env and change the values.
Upvotes: 39
Reputation: 6348
The .env file contains passwords and API keys that should not go into source control for security reasons. Plus they will likely change between environments (you should use different API keys for testing vs production)
What you can do is keep .env.example.php in git and keep it updated with the variables that need to be configured, but leave the value blank. Then on new install just do copy .env.example.php to .env and update the values for that environment.
Upvotes: 1
Related Questions
- How can I ignore the .env file in git?
- How to hide .env file from Github
- Unable to git-ignore .env file in laravel?
- How to store .env file in github?
- Why should I use .gitignore?
- How to ignore .env file from .gitignore for laravel5.2
- Does this .gitignore laravel makes sense when you're working with a team?
- Should I use .gitignore for Laravel?
- Why use .gitignore? And why do I need to not include certain files?
- gitignore vs environment variables Ruby on Rails