.env and shared hosting

What you need to do is separate the public folder, and the application itself.

Move the contents of the public folder, into your shared hosting's public_html folder.

Then create a folder called application outside of the public_html folder, where you upload the rest of your application.

In the index.php file, in public_html folder, you need to update the autoload.php and app.php location to the below values.

require __DIR__.'/../application/bootstrap/autoload.php';
$app = require_once __DIR__.'/../application/bootstrap/app.php';

Now it should work as normal.

And yes, having the .env in a publicly accessible folder is very insecure.

Can you go to yoursite.com/config/database.php and see the credentials?

@Cronix No, it gives a error 403 (since the config folder is restricted )

@Thorgram I would still separate the application from the public folder, to completely rule out the possibility of them accessing anything they shouldn't.

Most shared hosting still lets you put files outside the webroot as long as it is still inside your user folder.

If you need to change what Laravel sees as the public folder you just need to bind the new folder to path.public in the IOC container.

For example if your shared host uses public_html as the webroot place the following in your bootstrap/app.php.

$app->bind('path.public', function() {
    return base_path().'/public_html';
});

You can then rename the public folder to public_html in your repository and your app will match the structure you need for your host.