Security considerations for ENV vars
ENV vars are the predominant way to configure PHP based websites on a per environment basis. Often sensitive data like database passwords and API keys are stored with ENV vars. Take care to keep your secrets a secret.
# Don't deploy a .env file to production
Best don't deploy your .env file to production or anything that is public. The .env should really be excluded from Git. Don't deploy it by SSH/SFTP either. When the .env is in the root folder, the whole internet can maybe read it by calling yourdomain.com/.env.
# Don't expose phpinfo
A phpinfo will expose all environment variables. Make sure not to expose a public phpinfo. Mind that many debugging toolsbars will also include a phpinfo.
# Encode and decode ENV vars
Use a base64 encoded string and decode it when applying it to your configuration in your code. Encoding works like this:
php -r "echo base64_encode('YOUR-M$Pa#A-VALUEx') . PHP_EOL;"php
And this example should give you an idea how you can do the decoding.
Found a tpyo?Edit