Laravel APP_KEY Security: How to Generate, Rotate, and Protect Your Encryption Key
A missing, short, or committed APP_KEY compromises session encryption, signed URLs, and all data encrypted with Crypt. Generate a strong key and keep it out of Git.
The Problem
The APP_KEY is the master encryption key for your Laravel application. It protects session data, encrypted cookies, signed URLs, and anything encrypted with the Crypt facade. A missing key means encryption fails silently or throws errors. A weak or short key can be brute-forced. A committed key means anyone with repo access can decrypt your application data, forge session cookies, and impersonate any user.
How to Fix
-
1
Generate a strong APP_KEY
Use Laravel's built-in command to generate a cryptographically secure key:
php artisan key:generateThis sets a base64-encoded 32-byte key in your .env file:
APP_KEY=base64:abc123...=The key must be exactly 32 bytes (256 bits) for AES-256-CBC, which is Laravel's default cipher.
-
2
Verify the key is not committed to Git
Check if APP_KEY has been committed with an actual value:git log --all -p -S 'APP_KEY=base64:' -- .envIf found, the key is compromised. Also check config/app.php:
// WRONG — hardcoded key 'key' => 'base64:abc123...',// CORRECT — reads from environment 'key' => env('APP_KEY'),Ensure .env is in .gitignore (it is by default in Laravel).
-
3
Rotate the key if compromised
If the APP_KEY was ever exposed:1. Generate a new key: php artisan key:generate 2. Clear all sessions: php artisan session:flush (or truncate the sessions table) 3. Re-encrypt any data stored with Crypt::encrypt() 4. Invalidate all signed URLs 5. Clear cache: php artisan cache:clear
Warning: Changing the APP_KEY means all existing encrypted data becomes unreadable. If you store encrypted data in the database, you need to decrypt with the old key and re-encrypt with the new key before switching.
How to Verify
Check your .env has a proper key:
php artisan tinker
>>> config('app.key')
# Should output: base64:... (44 characters total)
>>> strlen(base64_decode(Str::after(config('app.key'), 'base64:')))
# Should output: 32Run php artisan stackshield:scan --check=SS010 to verify.
Prevention
Never commit .env to Git. Use separate APP_KEY values for each environment (local, staging, production). Store production keys in a secrets manager. Include key validation in your deployment checklist. Use StackShield to alert if APP_KEY becomes exposed.
Frequently Asked Questions
What happens if I change the APP_KEY?
All existing encrypted data becomes unreadable, all active sessions are invalidated (users get logged out), and all signed URLs become invalid. Password hashes are NOT affected since they use bcrypt, not the APP_KEY.
Can I use the same APP_KEY across environments?
No. Each environment (local, staging, production) should have its own unique APP_KEY. Sharing keys means a compromise in one environment compromises all environments.
Related Guides
Laravel .env File Exposed: How to Block Public Access and Rotate Leaked Credentials
Your Laravel .env file is publicly accessible, leaking database credentials, APP_KEY, and API keys. Block it in Apache and Nginx, then rotate every compromised secret.
Hardcoded Credentials in Laravel: How to Find and Remove Secrets from Source Code
API keys, passwords, and secrets committed to source code are exposed to anyone with repository access. Move them to environment variables before they leak.
Laravel Session Security: Fix Insecure Cookie Config (Secure, HttpOnly, SameSite)
Laravel session cookies missing Secure, HttpOnly, or SameSite flags? Fix your config/session.php to prevent session hijacking, cookie theft, and CSRF attacks.
Detect This Automatically with StackShield
StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.
Start Free Trial