Prevent access to .env file in Apache server?

Stefan Bogdanescu

Founder & Senior Architect · 2026-06-29

Laravel Company

Prevent Access to .env File in Your Apache Server: Securing Laravel Credentials

As developers, we often deal with sensitive information—database passwords, API keys, and configuration settings. The Laravel .env file is the heart of your application's secrets, storing credentials that absolutely must remain confidential. When a user attempts to access this file directly via a web browser (e.g., http://servername/.env), it exposes critical security vulnerabilities.

This post will dive into why this happens and provide robust, developer-grade solutions to protect your sensitive configuration files without resorting to non-guessable naming conventions.

The Security Risk: Why .env Exposure is Dangerous

The core issue here is not just file visibility; it’s the principle of defense in depth. If a web server (like Apache) serves any file directly, that file becomes accessible to anyone who can reach the URL. Exposing .env contents allows attackers immediate access to your database credentials, potentially leading to a complete system compromise.

While renaming files (e.g., .env_secret) is a common superficial fix, it only changes the naming convention; it does not change the underlying security mechanism. We need solutions that enforce access control, not just obscurity.

The Best Practice: Server-Level Access Control

The most effective way to prevent unauthorized access to configuration files is to ensure the web server itself refuses to serve them. This involves configuring Apache to deny access to specific file types or directories.

Using .htaccess for Directory Protection (The Right Way)

You asked about using .htaccess. While it can be useful, simply placing a rule might not stop an attacker who knows the exact path. The goal here is to ensure that any attempt to access configuration files results in a 403 Forbidden error, rather than displaying content.

To protect sensitive configuration files, you should restrict access to the entire directory where they reside. For example, if your .env file is located in the root directory accessible via HTTP, you can use .htaccess rules to block direct file requests:

# .htaccess file placed in the directory containing .env
Order allow,deny
Deny from all

A More Targeted Approach: If you only want to prevent viewing specific files but allow other legitimate static assets, a more granular approach is needed. However, for true security, the best practice is often to move sensitive files outside the publicly accessible web root entirely (see next section).

Defense in Depth: File System Permissions

Beyond HTTP access control, you must secure the file system itself. The operating system permissions dictate who can read or write a file, regardless of what the web server says.

Ensure that the .env file has extremely restrictive permissions. For maximum security on Linux/Apache systems, you should set permissions so that only the owner (the web server user) can read and write the file:

# Change ownership to the web server user (e.g., www-data or apache)
sudo chown www-data:www-data /path/to/.env

# Set strict read/write permissions for the owner only
sudo chmod 600 /path/to/.env

By setting chmod 600, you ensure that even if an attacker manages to bypass a weak .htaccess rule, they still cannot read the file unless they are running as the specific user group. This layered approach is crucial when building secure applications, especially in the context of frameworks like Laravel, where configuration security is paramount, as emphasized by best practices from teams at laravelcompany.com.

Final Thoughts on Configuration Management

While server-side protection stops direct web access, remember that storing all secrets directly in the filesystem can still pose risks. For large or highly sensitive applications, consider utilizing environment variable management systems or encrypted storage solutions rather than relying solely on file permissions for absolute security. Always aim to keep your application secrets managed through secure deployment pipelines and robust server configurations.