Jump to content

Credentials Security


Go to solution Solved by kicken,

Recommended Posts

What are you trying to protect against? Someone reading source code in your repository? Developers themselves knowing how to connect to and read from a production database? Other people on a shared hosting server reading your files?

I have a php application I made…

Currently I use phpdotenv https://github.com/vlucas/phpdotenv to store my creds in a .env file in the root directory…

It works, however twice now the AWS SES creds have been stolen and used to send mass emails…

Im not sure how they’re finding the information but they are… so I’m just trying to figure out how to store them better to avoid them getting into the wrong hands…

  • Solution
1 hour ago, DanRz said:

Im not sure how they’re finding the information but they are

Try browsing directly to your .env file on your website, for example http://example.com/.env and see if the file contents comes up.  If it does, then that's your problem.

Ideally you'd store your .env file outside of your webroot so it's inaccessible via any URL.  If you're hosting provider does not allow for that, then you need to configure the webserver to not allow access to your .env file via .htaccess or some similar mechanism.  If you can't do that, then the next best option is to store the credentials as PHP code in a .php file so even if someone does try and load the URL they won't see the PHP code.

 

18 hours ago, kicken said:

Try browsing directly to your .env file on your website, for example http://example.com/.env and see if the file contents comes up.  If it does, then that's your problem.

Ideally you'd store your .env file outside of your webroot so it's inaccessible via any URL.  If you're hosting provider does not allow for that, then you need to configure the webserver to not allow access to your .env file via .htaccess or some similar mechanism.  If you can't do that, then the next best option is to store the credentials as PHP code in a .php file so even if someone does try and load the URL they won't see the PHP code.

 

Thanks so much! I never thought of this bit that indeed was the problem... an oversight I think!!

I have now secured it with htaccess so its Forbidden now.

Thanks for your help!

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.