Security Tip: Protect Your .env File

⚠️ Want me to hack into your app and tell you how I did it, so you can fix it before someone else finds it? Book in a Laravel Security Audit and Penetration Test! 🕵️

I stumbled upon an interesting tweet1 this morning from @AshboDev on Twitter:

It sparked some interesting questions and recommendations, which we’ll get to in a shortly, as well as this reply/quote from @akshitarora0907 that demonstrates the issue nicely:

It’s very clearly an issue on some sites, one which you can easily exploit using a technique called Google Dorking, which makes it trivial to find exposed .env files.

I just performed a quick dork2, which revealed 20+ sites on the first page of results - exactly what I expected to find. These are just the ones Google is aware of - there would be significantly more that haven’t been detected yet, which you could find manually or over time as Google picks them up.

Many of these will contain APP encryption keys, database credentials, API keys, etc, many of which are usable for further exploitation of the app or the associated accounts. For example, finding Stripe keys would allow access to the payment systems…

How Does This Happen?

By design, Laravel keeps all but the essential files outside the `public/` directory, and you’re supposed to configure your apps so only the `public/` is accessible on the web. This means that files like `.env` aren’t accessible at all, and you’re safe from this issue entirely.

However, some environments don’t support putting files outside the web root - shared hosting is a common scenario where this happens, or if you’re managing your own server and you’re unaware of the purpose of the `public/` directory. In these instances, your files outside `public/` are web accessible and sensitive information, such as your `.env` can be exposed3.

It’s not just the `.env` which is an issue, but any other file in your directory - such as `auth.json`, or cache files, config files, etc… the options are plentiful.

How Do You Prevent It?

1. Install your apps so `public/` is the only web accessible directory.
   This is super important, so always try this first! If you use a service like Laravel Forge, this is done automatically for you.

2. Add specific rules into Nginx/Apache to block accessing your sensitive files.
   Laravel forge does this as an extra layer of protection by blanket blocking all `.*` files. This also blocks access to `.git`, which is another huge security risk.

   location ~ /\.(?!well-known).* {
       deny all;
   }

3. Set environment variables in the server environment or use XYZ secure config storage solution.
   I’ve included these as they are legitimate solutions, but only at #3 as you only really want to mess around with these options when you’re managing a large app across multiple servers. It adds a lot of complexity you really don’t want to deal with on a simple app, and I’d personally recommend just sticking with a `.env` file and installing Laravel properly.
   (If you want me to go into more detail, or you disagree, please jump in the comments and I’ll happily continue the conversation!)

We’ll finish up here, since this is a security Tip, not an In Depth, but the key takeaway is to install and configure your Laravel apps so the sensitive files are not web accessible.

If you’re not comfortable configuring your site securely and getting the web config right, then I highly recommend checking out a service like Laravel Forge, which will handle it all for you4.

Looking to learn more?
⏩ Security Tip #43: Don't Forget Rate Limiting
▶️ In Depth #15: Mass-Assignment Vulnerabilities