Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

User1980's avatar

Unable to find out the right from the wrong for Laravel INstallation

Hello everything,

My hosting provider + other Laravel devs are all telling me that it is not a risk to upload Laravel(the entire folder) within the public_html folder as the server will not show up the .ENV nor other sensitive files.

I have other app developers who are selling their apps and are telling everything to upload their main folder above the public_html.

Unless someone can explain the risks, I will never really understand why some in this forum are against uploading the files above the public_html and why for some it does not matter(they are telling me that it is absolutely safe).

Could someone give me technical reason for not doing so, this way I can send this forum post to my hosting provider + many other Laravel devs.

Thank you,

0 likes
8 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

It is generally recommended to keep sensitive files, such as the .env file, outside of the public_html folder to prevent unauthorized access. If the .env file is located within the public_html folder, it can be accessed by anyone who knows the file path.

To keep sensitive files outside of the public_html folder, you can create a folder outside of public_html and move all Laravel files there except for the public folder. Then, create a symbolic link from public_html to the public folder within the Laravel directory.

Here's an example of how to create a symbolic link using the command line:

ln -s /path/to/laravel/public /path/to/public_html

This will create a symbolic link from the public folder within the Laravel directory to the public_html folder.

By doing this, the sensitive files will be kept outside of the public_html folder and will not be accessible to anyone who visits your website.

Snapey's avatar
Snapey
3 years ago
Best Answer
Level 122

as well as .env being exposed, your storage folders are readable (including logs)

If you use sqlite database it is now held publicly

Your code base should be the same locally as in production, but some hack the index.php file or server.php file to make it work in production.

User1980's avatar

Hello Snapey,

And if you redirect your server to point the www to the public folder directly, how will people access the .ENV and logs? As my hosting provider told me that with the redirect, noone will ever find the .ENV nor other folders below. Also they are telling me that the server will not output the .ENV text out to the public.

I really need to understand that because a lot of Laravel developers are now telling me that the above is the old way.

kokoshneta's avatar

@User1980 If you redirect your server (meaning you set the server’s DOCUMENT_ROOT to) the public folder, then you’re safe, yes. That is what it’s supposed to be.

It doesn’t matter where on your server your Laravel project is uploaded. What matters is that the server’s DOCUMENT_ROOT (i.e., the directory that the server takes as its basis) should be the public folder, not the base folder.

Many servers that have public_html folders are shared servers which do not allow the user to change the document root. In a case like that, uploading the project to public_html means everything will become visible to the outside world – and that should always be avoided.

If your server allows you to change where the document root is, and you do change it to be the public folder inside your project, then you are all right.

But if you have access to changing the document root, and you also have access to folders outside the public_html folder, there’s no real reason why you would want to upload your project there. If your server has a directory structure like www/sites/www.mysite.com/public_html, then you may as well just upload the project directly into www/sites/www.mysite.com and point the document root at www/sites/www.mysite.com/public.

1 like
User1980's avatar

@kokoshneta Yes this is what my hosting provider told me, by changing the document root. About having the document root below the public_html I need to try as the maker of the script I am installing is telling everything to absolutely put the script above the public_html for all the features to work. Perhaps because there is an auto upgrade script working on it? Not sure.

User1980's avatar

@kokoshneta I also wanted to add your answer as the best answer but could not add both unfortunately sorry.

Snapey's avatar

Plenty of web servers WILL output the .env file.

Try googling filetype:env APP_KEY

Ignore the ones that are public code repos

User1980's avatar

@Snapey I understand now. I only get about 689 results on Google which means that this is probably something that used to happened a lot in the past but has stopped now with the new server securities as my hosting provider told me that there is no way the ENV. shows up on their server and asked me to try but I could not access it. Thanks for your input!

Please or to participate in this conversation.