Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hi so my company uses shared hosting and I want to deploy laravel into it. I already searched how to do it and it's working fine now but I encountered one post ( I forgot where I found it ) that there's a security issue when doing uploading laravel to shared hosting. Is this true? If no then is there any minor or major issues I should be aware of?
EDIT: So in my case, .env was accessible in my deployed laravel app because I put the files in a sub directory so what I did is transfer all the files to website's main root and changed the public folder to any name I want. So changing the .env variable APP_ENV to production will still make your .env accessible if it's still in a sub directory.
Many people break Laravel's folder structure and/or ignore the fact that ONLY the public folder should be accessible by the public, or in simpler terms, the public folder should be the document root of the website.
This results in a security breach since many files (including the .env file) will be completely open for anyone to view. It doesn't take a hacker or special skills to log into a database when you have the host, username and password.
@SaeedPrez What do you mean by .env file will be completely open for anyone to view? Can you give an example how to access .env file?
@ninjstin check out below thread,..
@SaeedPrez Wow, thanks for sharing. I immediately checked the website which has laravel installed. Thankfully, it responded with a Route error. And I saw your post that in order to prevent this I just have to make APP_DEBUG = FALSE ?
EDIT: It produced an route error because I forgot to check to add dot in env and when I added a dotit gave me the whole .env content
@ninjstin it's wise to set these on your production environment..
APP_ENV=production
APP_DEBUG=false
There are MANY different security issues to think about, but keeping the folder structure and setting the document root to the public folder is one that many people fail to do.
Another one I've seen a lot is people either don't use a database password or use easy passwords like password, secret, 'root', etc..
Also if possible, always use SSL (HTTPS ).
Luckily Laravel takes care of a lot of these for you, i.e. SQL injection and Cross-Site Request Forgery..
Please or to participate in this conversation.