Security question for env file

@Tray2 Hi, thanks for your reply. Simple, in cloudflare WAF, there are numerous requests for this file, .env.

@Tray2 Just for greater security, even though intruders won't be able to access the file, I wanted to change its name to be more secure, at least for me.

And was wondering if this approach is safe?

@YuMp you shouldn't even be using an environment file in production anyway.

@YuMp only by a little bit. Sadly chances are that the hacker can list files, if the manage to get access to the root of the project in the first place

@jlrdw Thanks for commenting, and what would be ideal for me? The correct thing is to use the .env file to declare the environment variables as database data and email services, how should I proceed in production then?

@Sinnbeck I found this on stackoverflow and wanted to know if it's safe but jlrdw's comment made me worried. So what am I doing wrong to put the project into production since as a jlrdw I shouldn't use the environment variables file. Thanks for answering.

@YuMp personally I use them, but you can instead inject them in the server as real environment variables. Laravel can read these as well

@YuMp see martinbean answer here:

https://laracasts.com/discuss/channels/general-discussion/encrypt-env?page=1&replyId=858384

@jlrdw On the question of encrypting the env. I believe this would not apply to my projects as they are all on shared hosting.

@Sinnbeck Ohh ok I got scared, I have several projects that have the .env file.

But back to the subject can I use this configuration to change the name of the .env file, is this approach safe even though they will never have access to the file?

Thanks

@YuMp I wasn't referring to encrypting I was referring to

You should be using actual environment variables in a server environment instead of .env files.

So use the config folder to place them.

@Sinnbeck Sorry to bother you, but can I use this setting in the app.php file inside bootstrap? setting to change .env file name?

It's safe? Thanks in advance.

@YuMp it should be possible yes. But as I said, it's only a tiny bit more secure. It only protects in cases where the hacker can access the file directly from the browser anyways (something you should guard against). So if it makes you feel more secure, go for it.

@YuMp Why not use actual environment variables like has been suggested to you multiple times now?

Anything you’re suggesting is just a poor alternative to using actual environment variables.

@martinbean I use shared hosting, I believe it is not possible to use actual variables in shared hosting, if you can send me a guide on how to implement it if I want to migrate to a dedicated server or vps in the future. Thanks in advance.

@martinbean I looked at the documentation and it only refers to the encryption of the .env file. Do you have a link to the documentation to implement the env file variables in the system?

https://laravel.com/docs/9.x/configuration

I found this video, basically everything I needed, thank you all. https://laracasts.com/series/server-management-with-forge/episodes/5