Security considerations for env vars
Reviewedbyfl
Markdown ↓🔐
Keep secrets out of version control.
Environment variables store sensitive data like database passwords and API keys. Keep env vars out of version control and public access to prevent unauthorized access.
Don't deploy a .env file to production
Never deploy your .env file to production because it contains plaintext secrets. Exclude .env from Git entirely and never deploy it via SSH/SFTP. If .env is in the web root and server access controls don't block it, anyone could access it by requesting yourdomain.com/.env.
Don't expose phpinfo
The phpinfo() function displays all environment variables, making them readable to anyone who accesses it. Remove phpinfo pages from production entirely. Note that debugging toolbars and profilers may also expose phpinfo by default.
Encode and decode env vars
Base64 encoding adds a layer of obfuscation for sensitive configuration values. Encode the secret value, store the encoded string in your env var, then decode it in your application code. To encode:
php -r "echo base64_encode('YOUR-M$Pa#A-VALUEx') . PHP_EOL;"
Decode the value in your configuration file with base64_decode(). See this Laravel discussion for implementation examples.