StackShield

Exposed .env Files

Easy

Checks if .env files are publicly accessible.

Estimated fix time: 5 minutes

What are Exposed .env Files?

Laravel's .env file contains sensitive configuration including database credentials, API keys, and application secrets. If this file is publicly accessible, attackers can steal credentials and compromise your entire application.

Security Impact

Severity: Critical

  • Database credential theft
  • API key exposure
  • Application secret compromise
  • Complete application takeover
  • Data breach

How to Fix

1. Server Configuration (Primary Fix)

Nginx Configuration:

location ~ /\.env {
    deny all;
    return 404;
}

# Also block other sensitive files
location ~ /\.(git|svn|hg) {
    deny all;
    return 404;
}

Apache Configuration (.htaccess):

Laravel's public .htaccess should already include:

# Block access to .env
<FilesMatch "^\.env">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block hidden files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

2. Verify .env Location

Ensure .env is in the project root, NOT in the public directory:

✓ Correct:
/var/www/myapp/.env
/var/www/myapp/public/ (web root)

✗ Wrong:
/var/www/myapp/public/.env

3. Set Proper File Permissions

# Set restrictive permissions
chmod 600 .env
chown www-data:www-data .env

# Or more restrictive
chmod 400 .env  # Read-only for owner

4. Add .env to .gitignore

Ensure .env is never committed:

# .gitignore
.env
.env.backup
.env.production
.env.local

5. Use Environment-Specific Files

# Development
cp .env.example .env

# Production (use secure method)
# Never copy .env files directly to production
# Use deployment tools or secrets management

Verification Steps

  1. Try accessing https://yourdomain.com/.env - should return 404 or 403
  2. Try https://yourdomain.com/../.env - should be blocked
  3. Check file permissions: ls -la .env
  4. Verify web server configuration is active
  5. Use online scanners to verify protection

Prevention Best Practices

1. Use Environment Variables

Instead of .env files in production, use server environment variables:

# Set in server environment
export APP_KEY="base64:your-key"
export DB_PASSWORD="secure-password"

# Or use supervisor/systemd environment
[supervisord]
environment=APP_KEY="base64:your-key",DB_PASSWORD="secure-password"

2. Use Secrets Management

For cloud deployments:

AWS:

// Use AWS Secrets Manager
$secret = AWS::secretsManager()->getSecretValue([
    'SecretId' => 'prod/myapp/db',
]);

Laravel Vapor:

vapor secret set DB_PASSWORD "secure-password"

Docker:

# docker-compose.yml
services:
  app:
    environment:
      - APP_KEY=${APP_KEY}
      - DB_PASSWORD=${DB_PASSWORD}
    env_file:
      - .env

3. Rotate Secrets Regularly

# Regenerate application key
php artisan key:generate

# Update database passwords
# Update API keys
# Update OAuth secrets

4. Use .env.example as Template

# .env.example (safe to commit)
APP_NAME=Laravel
APP_ENV=production
APP_KEY=
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=laravel
DB_USERNAME=root
DB_PASSWORD=

# .env (never commit)
APP_NAME=MyApp
APP_ENV=production
APP_KEY=base64:actual-secret-key
DB_PASSWORD=actual-password

Web Server Testing

Test Nginx Configuration

# Test configuration syntax
sudo nginx -t

# Reload configuration
sudo systemctl reload nginx

# Test access
curl -I https://yourdomain.com/.env
# Should return: 404 Not Found or 403 Forbidden

Test Apache Configuration

# Test configuration
sudo apache2ctl configtest

# Reload configuration
sudo systemctl reload apache2

# Test access
curl -I https://yourdomain.com/.env
# Should return: 404 Not Found or 403 Forbidden

Emergency Response

If your .env file was exposed:

  1. Immediately change all credentials:

    # Regenerate app key
php artisan key:generate --force

# Change database passwords
# Rotate API keys
# Update OAuth secrets

  2. Block access:

    location ~ /\.env {
    deny all;
    return 404;
}

  3. Check logs for access:

    # Nginx
grep "\.env" /var/log/nginx/access.log

# Apache
grep "\.env" /var/log/apache2/access.log

  4. Audit for unauthorized access:

    • Check for new database users
    • Review recent API calls
    • Look for suspicious admin logins

  5. Notify stakeholders

  • Sensitive Files Exposure
  • Directory Listing
  • Laravel Debug Mode
  • .git Directory Exposure

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

Directory & File Exposure

Scans for publicly accessible sensitive files (logs, .git).

Easy

Sensitive Laravel Files

Checks for exposed sensitive Laravel files (.git, logs, config).

Easy

Laravel Debug Mode

Checks if Laravel debug mode is enabled in production.

Easy

Learn More