.ENV file is visible

Question

I am using Laravel 5.1

I recently uploaded my project in shared hosting. but when i browse http://siteAddress.com/local/.env my .env file is visible.

Is there any way to hide this file or redirect people if they want browse the site with folder view?

I have a `.htaccess` file in root. And it's working. @Hannes — smartrahat, Oct 11 '15 at 21:21

score 59 · Accepted Answer · answered Jan 01 '16 at 03:34

59

Finally I hide .env and disable index view of the folder named local. I create a .htaccess in folder local.

And here is the code of .htaccess

# Disable index view
Options -Indexes

# Hide a specific file
<Files .env>
    Order allow,deny
    Deny from all
</Files>

answered Jan 01 '16 at 03:34

smartrahat

5,381
6
47
68

2

Now go through all the other files you exposed [by doing this](http://stackoverflow.com/questions/33069319/env-file-is-visible#comment53957510_33069414) and add them to your .htaccess file so they can't be accessed. – Mike B Jan 01 '16 at 03:40
For those who're looking similar things, It's better to match every dot file with a sentence replacing `` with `..the same...` this way you'll protect .env, .env-dev .any just in case... anyway dot env files are supposed to be hidden at least in Linux – Rodrigo Aug 01 '22 at 23:22

Prashant Barve · Answer 2 · 2018-09-04T05:49:59.430

20

Please create a .htaccess file where you have .env file and write the code as shown below:

# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Ee][Nn][Vv])">
 order allow,deny
 deny from all
 satisfy all
</Files>

Then try to hit the .env file from url and it will not be available and show codes inside.

If you want to remove it from github.

Please create new file .gitignore on the same directory.

and add line

.env

edited Sep 04 '18 at 05:49

answered Oct 22 '16 at 06:14

Prashant Barve

4,105
2
33
42

Brave Can you confirm if this regex would work to also capture .env files that are named .env.test or .env.development.local for example? If not can you show me the right way to do it? Thanks. order allow,deny deny from all satisfy all – regan Feb 09 '21 at 08:44
hmm, does not work for me. Does this has to be within any other directive? – trainoasis Apr 05 '21 at 07:47

score 10 · Answer 3 · answered May 04 '19 at 06:45

You can add below code in .htaccess file to disable directory listing and restrict access of .env file:

# Disable Directory listing
Options -Indexes

# block files which needs to be hidden, specify .example extension of the file
<Files ~ "\.(env|json|config.js|md|gitignore|gitattributes|lock)$">
    Order allow,deny
    Deny from all
</Files>

score 3 · Answer 4 · answered Oct 11 '15 at 19:49

3

The .env file resides outside the public folder so it should not be visible from outside world if the server is configured to see the public folder as document root.

From the best answer:

Remember that once your server is configured to see the public folder as the document root, no one can view the files that one level down that folder, which means that your .env file is already protected, as well your entire application. - That is the reason the public folder is there, security. - The only directories that you can see in your browser if you set the document root to the public folder is the folders that are there, like the styles and scripts.

https://laracasts.com/discuss/channels/general-discussion/how-do-you-protect-env-file-from-public

Check the folder structure on your hosting and make sure the public folder is the document root.

answered Oct 11 '15 at 19:49

Glad To Help

5,299
4
38
56

there is no `public` folder in my project. i move all files from public folder to root and move others files and folders in another folder named `local` (created by me). @Glad To Help – smartrahat Oct 11 '15 at 20:19
@smartrahat, you are doing wrong. You has converted your root folder in a public folder exposing all sensitive data – manix Oct 12 '15 at 02:16
@manix, i did it to get rid of `/public` after my site address. is there any way to protect them with current file structure? – smartrahat Oct 12 '15 at 07:40
3

@smartrahat, I am afraid that you are really doing it wrong - it is not protected because it is not meant to be used the way you want it to. While in theory perhaps you could do it with htaccess what you should really do is either talk to your host to help you set up the structure properly or get a host where you have more control over things. – Glad To Help Oct 12 '15 at 10:02
@GladToHelp he is not doing it wrong IF on shared hosting which to me it seems he is: you have to do it this way if using root domain, otherwise how would you point your main domain to a subfolder (public) on Cpanel? You cannot. – trainoasis Apr 05 '21 at 07:48

.ENV file is visible

4 Answers4

Linked