Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I think the .env file was created to let users custom there local environment,
Is using this file in prod a good practice? is there a risk?
if yes what is the best ways to protect it against direct access, maybe search engine...
Protect by setting up laravel correctly, pointing to public as document root. You should not be able to view .env from browser.
Example:
yoursite.com/.env
If you get error 404, secure, if you can view in browser, not secure. .env is optional however.
Thank you @jlrdw ,
I Agree, but if you deploy your Laravel in shared hosting, many users suggest to move the files from the public to the root folder where .env lives
I was facing the same issue after going through the same tutorials as you I think ^^ The truth is, it's a really bad idea to change the structure of Laravel. You will have problems sooner or later ... The best, as we have suggested to you, is to point your domain name to the public folder / of your Laravel directory.
many users suggest to move the files from the public to the root folder where .env lives
Do not do that, setup like @taylorotwell has in documentation for shared, or one alternative is have main laravel out of public_html, see:
http://novate.co.uk/deploy-laravel-5-on-shared-hosting-from-heart-internet/
If something like digitalocean, they have guides.
The correct, secured Laravel folder structure should be:
└── blogapp <- 1. Laravel root folder, DocumentRoot CANNOT point here
├── public <- 2. DocumentRoot MUST point here, i.e. https://yourdomain.com
│ └── robots.txt <- 3. MUST be able to load https://yourdomain.com/robots.txt
├── .env
├── storage
...
└── vendor
If for whatever reason you must follow the tutorial found here http://novate.co.uk/deploy-laravel-5-on-shared-hosting-from-heart-internet/
Then please structure the this way
├── public_html <- 2. DocumentRoot MUST point here
│ └── blog <- 3. move and rename `public` as `blog`, https://yourdomain.com/blog
│ ├── robots.txt <- 4. MUST be able to load https://yourdomain.com/blog/robots.txt
│ └── index.php <- 5. Must modify this index.php
└── blogapp <- 1. Laravel root folder, DocumentRoot CANNOT point here
├── .env
├── storage
...
└── vendor
I always use .env
I always make sure that only the public folder can be accessed from the outside.
@halim No, you should not be pushing .env files to production servers.
The .env is to mimic environment variables in environments where it’s difficult to use env vars proper, such as local development environments.
On your production server, you should be setting actual environment variables. Laravel will pick these up just like it would from an .env file.
This practice comes from the “Twelve-Factor App” principles, which states an application should be configured by its environment. So you should be able to move your code from one server to another and its configuration (database credentials, API Keys, etc) should be dictated by the environment instead of code.
This ☝️🙂
Please or to participate in this conversation.