4

I'm new in laravel and I know the .env file is used to store database and email credentials. But when I'm opening http://servername/.env the .env file content is shown in browser.

Any chance to protect my database credentials without changing the file name to non-guessable one?

In case I'm using .htaccess to prevent file read, would this have negative effect to the laravel framework?

Top-Master
  • 7,611
  • 5
  • 39
  • 71
Nikko
  • 385
  • 1
  • 4
  • 14
  • 7
    I'm not sure how did you set up your server, but you should only have the contents of the `public` folder public (for more info, [check this answer](http://stackoverflow.com/a/16683938/908174)). If you do this, your issue is solved. – Luís Cruz Apr 30 '15 at 09:12
  • I don't do server setup before because I'm former CI developer trying to learn laravel. I've checked your answer and will try it. Thank you. – Nikko Apr 30 '15 at 15:08
  • I think [How to secure Laravel .env file and file permission?](https://devnote.in/how-to-secure-the-env-file-in-laravel-using-file-permission/) is the best tutorial. – Fefar Ravi Dec 15 '21 at 06:00

4 Answers4

18

Please add below code in your .htaccess file. It works also in localhost and Live server.

# Disable Directory listing
Options -Indexes

# block files which needs to be hidden, specify .example extension of the file
<Files ~ "\.(env|json|config.js|md|gitignore|gitattributes|lock)$">
    Order allow,deny
    Deny from all
</Files>
Amit-Inex Patel
  • 481
  • 3
  • 15
4

You are probably looking for how to stop .env files from being served on apache hence read.

do this on the /etc/apache2/apache.conf file - Ubuntu. after this part of that file
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>

add the code below

# Hide a specific file
<Files .env>
    Order allow,deny
    Deny from all
</Files>

then restart your apache server with sudo service apache2 restart and enjoy!

daniel Warui
  • 188
  • 2
  • 4
  • That is a good way of globally disabling access to .env files. This code will work for all files that start with dot. ` Require all denied ` – Kutalia May 09 '20 at 07:04
2

in production domain should be pointed to laravel project public folder where index.php file is, once it is done nobody can access .env file. if you are uploading project to showing demo to client don't upload .env file you can set evn parameter in .htaccesss file

.htaccess file 

SetEnv APP_ENV local
SetEnv APP_DEBUG true
SetEnv APP_KEY app_keyasfassafas

SetEnv DB_HOST localhost
SetEnv DB_DATABASE db_name
SetEnv DB_USERNAME root

SetEnv CACHE_DRIVER file
SetEnv SESSION_DRIVER file
SetEnv QUEUE_DRIVER sync

important apache env_module should be enable

umefarooq
  • 4,540
  • 1
  • 29
  • 38
  • So this `.htaccess` will have same function as `.env` right? I'll try your suggestion if my server setting enabled env_module. – Nikko Apr 30 '15 at 15:11
  • yest it works same as .evn more protected if you have project in sub directory not in root of server. – umefarooq May 01 '15 at 19:04
2

in your .htaccess

past below line at end of .htaccess

<Files .env>
order allow,deny
Deny from all
</Files>

Laravel .htaccess file
Options -MultiViews -Indexes 

    RewriteEngine On

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

<Files .env>    <----------------at the end of .htaccess file
order allow,deny
Deny from all
</Files>
Balaji
  • 9,657
  • 5
  • 47
  • 47