How do you protect .env file from public?

Published 2 years ago by danlito

Hello guys, I am trying to understand how to use this cool feature of. The only thing that i don't get it is how to make this file protected from public.

If i go to mydomain.com/.env i can see all the variables. Is there anyway to hide it?

Thanks

Best Answer (As Selected By danlito)
yayuj

Remember that once your server is configured to see the public folder as the document root, no one can view the files that one level down that folder, which means that your .env file is already protected, as well your entire application. - That is the reason the public folder is there, security. - The only directories that you can see in your browser if you set the document root to the public folder is the folders that are there, like the styles and scripts.

You can make a test like this:

Enter in your project directory with the terminal and hit this:

php -t public -S 127.0.0.1:80

The -t means the document root, where the PHP built-in web server will interpreter as the document root. - see bellow:

-t <docroot> Specify document root <docroot> for built-in web server.

Now try to access the .env file, and you will see that you will get a 404 that the resource as not found.

Of course it's just an example, you will need to configure your sever to do the same.

jbelcastro

Try changing your file name to .env.php which should make those non-reachable through the url. To use it in a different environment (let's say you're working within local) you can use .env.local.php. Also these files should be stored above the public level but I'm guessing your laravel installation is within the public level?

UPDATE: I believe you're actually asking about Laravel5 which I'm not too familiar with so if that's the case please disregard :)

yayuj
yayuj
2 years ago (14,325 XP)

Remember that once your server is configured to see the public folder as the document root, no one can view the files that one level down that folder, which means that your .env file is already protected, as well your entire application. - That is the reason the public folder is there, security. - The only directories that you can see in your browser if you set the document root to the public folder is the folders that are there, like the styles and scripts.

You can make a test like this:

Enter in your project directory with the terminal and hit this:

php -t public -S 127.0.0.1:80

The -t means the document root, where the PHP built-in web server will interpreter as the document root. - see bellow:

-t <docroot> Specify document root <docroot> for built-in web server.

Now try to access the .env file, and you will see that you will get a 404 that the resource as not found.

Of course it's just an example, you will need to configure your sever to do the same.

bashy
bashy
2 years ago (1,092,500 XP)

Anything before /public should not be viewable. Make your document root /public

Also, protect dot files with this

# Block access to dot files
location ~ /\. {
    deny  all;
}
nolros
nolros
2 years ago (76,670 XP)

@bashy can you deny all? can the app find the file if you deny all? I really don't know, but I thought you just block indexing for dot files (or any), that stops them from list visibility but they are still then accessible. Do I have this wrong?

yayuj
yayuj
2 years ago (14,325 XP)

I don't see the need of that, the server, normally, for security reasons, it blocks the access to the .htaccess which is the only file within the public folder with dot prefix. What is the need to block all the files with dot prefix if you won't have access to them anyways?

bashy
bashy
2 years ago (1,092,500 XP)

@nolros Yes, it will still read them but not serve them to the client

This is my drop.conf (included in all my sites)

location = /robots.txt { access_log drops; log_not_found off; }
location = /favicon.ico { access_log drops; log_not_found off; }
location ~ /\. { access_log denied; log_not_found off; deny all; }
location ~ ~$ { access_log denied; log_not_found off; deny all; }

This will log access to robots.txt and favicon.ico (I still like to log these for debugging). It will also block access to .* files, you won't need to serve any dot files (.bash_history .bash_profile .zsh .htaccess) are all security issues. There could be a case where a misconfiguration causes those files to be seen. There is also one for files starting with a dollar sign, possible for example if a temp file of some sort is created.

nolros
nolros
2 years ago (76,670 XP)

Bashy thanks for sharing, makes sense. Cheers. You up late.

bashy
bashy
2 years ago (1,092,500 XP)

No problem, just about to post about denying access to those files on my blog :)

Yeah almost 3 am here, I enjoy coding at night...so peaceful!

pranshu

Hello you can create a .htaccess file at the same place and write the below code.

# Disable index view
Options -Indexes

# Hide a specific file
<Files .env>
    Order allow,deny
    Deny from all
</Files>

Please sign in or create an account to participate in this conversation.