someone saw my .env file with my APP_KEY

Just regenerate your key. No security risk then whatsoever.

Type php artisan key:generate to generate new key.

Awesome, thanks janareit! :)

And what about DB login details? Any other keys or passwords in there?

@JennySwift You should change db login details and app_key if you are in production env

Thanks @bashy and @shahinul87. He only saw my local .env file so I figured no harm could be done from seeing the local db login details? My production environment variables are in Laravel Forge so he didn't see them. I just realized I don't have an APP_KEY environment variable for my production environment (because my APP_KEY is in my local .env file which gets ignored by git) and my app has been working fine without ever creating one. Should I have an APP_KEY for my production environment, too?

Okay, if it was local you don't need to worry about anything related to this file unless you had production credentials in it.

The APP_KEY should be separate to production so again, no harm.

That's a relief. Thanks @bashy, very helpful.

When you say the APP_KEY should be separate to production, do you mean I have a production APP_KEY somewhere? In Forge? Where would I find this please? I just want to know my production APP_KEY isn't the same as the APP_KEY he saw in my local .env file. When I ran php artisan key:generate to change it, I did that from homestead in the command line so I suppose that wouldn't have changed my production APP_KEY (if it exists).

No problem!

I've not used Forge myself but you should set the environment variables somewhere (including the APP_KEY). It's along with all the DB credentials as well.