How to secure .env file in laravel using file permission?

Question

My env file which has all the credentials is accessible through URL. I found a few questions like How to secure .env file in laravel 5.4? which says to use htaccess to prevent users from accessing the file.

But I prefer using file permission so I changed permission to 0111 which is execute only but I found that the file is not accessible by the internal files as well so my question is what is the right permission.

And is it fine to depend on file permission for security purpose.

Answer 1

Using file permissions you can protect your .env from being modified unintentionally. Though you cannot make it inaccessible by the clients. Because the webserver user (e.g. www-data) that serves the website to the users must have access to it in order to load your configurations.

Therefore you have to ask the web server itself to not serve this particular file online. There are several approaches to achieve this and the most popular one is utilizing .htaccess with the following content:

<Files .env>
    order allow,deny
    Deny from all
</Files>

Answer 2

I had to call my hosting provider to know the permission so that my website is working fine and the permission are also fine so that my file not accessible directly.

So the necessary permission is 0600 which makes it accessible on the website but not through URL.

For .htaccess the solution I was not comfortable with follow: How protect .env file laravel

Here's the script as per the top rated answer in above :

#Disable index view
options -Indexes

#hide a Specifuc File

<Files .env>
order allow,deny
Deny from all
</Files>

Answer 3

I hope it will work for you.

add this code in .htaccess file

<Files .env>
  Order allow,deny
    Deny from all
</Files>