How to Fix an Exposed .env File in Laravel
Your Laravel .env file is publicly accessible, exposing database credentials and API keys. Learn how to block access and secure your secrets.
The Problem
An exposed .env file means your database credentials, API keys, APP_KEY, and application secrets are publicly accessible to anyone who visits yourdomain.com/.env. This is one of the most critical Laravel security vulnerabilities because it gives attackers everything they need to compromise your application. Automated bots constantly scan for exposed .env files across the internet.
How to Fix
-
1
Block .env access in Apache (.htaccess)
Add this rule to your public/.htaccess file to deny access to dotfiles:
{{ trim($paragraph)); ?>Or more specifically for .env:
{{ trim($paragraph)); ?> -
2
Block .env access in Nginx
{{ trim($paragraph)); ?>{{ trim($paragraph)); ?>Reload Nginx after making changes:
{{ trim($paragraph)); ?> -
3
Verify your document root points to /public
Your web server document root must point to the /public directory, not the Laravel project root. In Apache:
{{ trim($paragraph)); ?>In Nginx:
{{ trim($paragraph)); ?>If your document root points to the project root, every file including .env, composer.json, and your entire app directory is potentially accessible.
-
4
Move secrets to environment variables
For additional security, set sensitive values as server-level environment variables instead of relying solely on the .env file. In your hosting panel or server config, set variables directly:
{{ trim($paragraph)); ?>{{ trim($paragraph)); ?>
How to Verify
Visit yourdomain.com/.env in your browser. You should see a 403 Forbidden or 404 Not Found response, not your environment file contents. Also test with curl:
curl -I https://yourdomain.com/.envThe response should be 403 or 404, not 200.
Prevention
Use a deployment checklist that verifies .env is not accessible after every deployment. Set up continuous external monitoring with StackShield to get alerted immediately if your .env file becomes exposed after a server configuration change or deployment.
Frequently Asked Questions
What should I do if my .env file was already exposed?
Immediately rotate all credentials in the file: change your database password, regenerate your APP_KEY (php artisan key:generate), revoke and regenerate all third-party API keys, and invalidate all user sessions. Assume every secret in the file has been compromised.
Does Laravel Forge or Vapor protect against this?
Laravel Forge configures Nginx correctly by default with the document root pointing to /public and rules blocking dotfile access. Laravel Vapor runs on Lambda where .env is not served as a file. However, misconfigurations during manual server changes can still expose it.
Can I check if my .env was accessed by attackers?
Check your web server access logs for requests to /.env. Run: grep ".env" /var/log/nginx/access.log or grep ".env" /var/log/apache2/access.log. Any 200 status codes for .env requests indicate it was successfully accessed.
Related Guides
How to Fix Debug Mode Enabled in Production Laravel
APP_DEBUG=true in production exposes stack traces, environment variables, and database credentials. Learn how to disable it safely.
How to Fix an Exposed .git Directory
Your .git directory is publicly accessible, allowing attackers to download your entire source code and commit history. Fix it now.
How to Fix an Exposed Laravel Storage Directory
Your Laravel storage directory is publicly accessible, exposing logs, cache files, and uploaded data. Learn how to restrict access.
Detect This Automatically with StackShield
StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.
Start Free Trial