Security considerations for ENV vars

Reviewed2026-02-13

🔐

Keep secrets out of version control.

ENV vars are the predominant way to configure PHP based websites on a per environment basis. Often sensitive data like database passwords and API keys are stored with ENV vars. Take care to keep your secrets a secret.

Don't deploy a .env file to production

Best don't deploy your .env file to production or anything that is public. The .env should really be excluded from Git. Don't deploy it by SSH/SFTP either. When the .env is in the root folder, the whole internet can maybe read it by calling yourdomain.com/.env.

Don't expose phpinfo

A phpinfo will expose all environment variables. Make sure not to expose a public phpinfo. Mind that many debugging toolsbars will also include a phpinfo.

Encode and decode ENV vars

Use a base64 encoded string and decode it when applying it to your configuration in your code. Encoding works like this:

php -r "echo base64_encode('YOUR-M$Pa#A-VALUEx') . PHP_EOL;"

php

And this example should give you an idea how you can do the decoding.

❦

Written by a human. Review, grammar checks and typo fixes by AI.

AI use & editorial process Edit on GitHub ↗

fortrabbit

PHP hosting for developers.

Running on AWS. Serving world wide.

Private by design. No cookies.

Rooted in Berlin. Since 2012.

No spam. No credit card required.

Security considerations for ENV vars

Don't deploy a .env file to production

Don't expose phpinfo

Encode and decode ENV vars

Software

Solutions

Hosting guide

Company

Legal center

Contact us

Docs

# Don't deploy a .env file to production

# Don't expose phpinfo

# Encode and decode ENV vars

Software

Solutions

Hosting guide

Company

Legal center

Contact us

Docs

Don't deploy a .env file to production

Don't expose phpinfo

Encode and decode ENV vars