Working through a number of tutorials on creating microservices using the lumen stack... one thing I'm as yet to find is information on best practices/techniques on the deployment and hiding sensitive information that may wind up in the .env file.
What is common, is putting the password to (at least) the database used for the service directly in this file. All examples show this in clear text. Is it common to just generate it in clear text (I'm authoring a deployment script for this) and control (in this case disallow) access to the .env file through network access rules?
Any references on this would be greatly appreciated!
You could just set actual environment variables rather than relying on a project file (.env) - it would at least mitigate the many, many situations where the .env file is exposed publicly because of a badly configured web server. If someone gets shell access to your server the malicious actor will still have access to plain text credentials, but your security has been compromised completely at that point anyway...
A client sent me this link today that relates to this. https://thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/
Please or to participate in this conversation.