Cookies ahead

Our support chat tool "Intercom" would like to collect some more data on you. See the related link for more details.

Docs

Security considerations for env vars

Reviewedbyfl

Markdown ↓

🔐

Keep secrets out of version control.

Environment variables store sensitive data like database passwords and API keys. Keep env vars out of version control and public access to prevent unauthorized access.

Don't deploy a .env file to production

Never deploy your .env file to production because it contains plaintext secrets. Exclude .env from Git entirely and never deploy it via SSH/SFTP. If .env is in the web root and server access controls don't block it, anyone could access it by requesting yourdomain.com/.env.

Don't expose phpinfo

The phpinfo() function displays all environment variables, making them readable to anyone who accesses it. Remove phpinfo pages from production entirely. Note that debugging toolbars and profilers may also expose phpinfo by default.

Encode and decode env vars

Base64 encoding adds a layer of obfuscation for sensitive configuration values. Encode the secret value, store the encoded string in your env var, then decode it in your application code. To encode:

php -r "echo base64_encode('YOUR-M$Pa#A-VALUEx') . PHP_EOL;"
php

Decode the value in your configuration file with base64_decode(). See this Laravel discussion for implementation examples.

Written by a human. Review, grammar checks and typo fixes by AI.

AI use & editorial processEdit on GitHub ↗