Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi,
How to safeguard my .env file from public access? I tried switching its permissions to 640, but the whole laravel application crashes on this. Any better suggestions?
Thanks, Saad
Yes, a much better suggestion.
Only the contents of the public folder should be served by your webserver. Anything else is a hack.
Last week, someone mentioned that they had hidden their .env file, however I was able to quite happily access all the log files
Set the public folder as the document root
Hi @snapey,
Yes, I attempted to do this as the first thing. But this causes issues to the other projects, since I have multiple Laravel projects running on the same server. So either I do a deep-config of my webserver for URL-based routing, or I find some tweak for hiding individual .env files, for now. Of course, will fix the logs thing later on, trying the variable safety first.
What else could be done?
web servers support something called virtual hosts which allows hundreds of sites to live separately on the same server
Yes, this is what I am referring to, in webserver tweaks. I am trying to avoid it for now, temporarily.
I personally wont help you because its not the right way.
Please or to participate in this conversation.