Jump to content

Credentials Security

DanRz

By DanRz
in PHP Coding Help

 Share
Go to solution Solved by kicken,

Recommended Posts

requinix Prolific Member

requinix

Posted
Posted

What are you trying to protect against? Someone reading source code in your repository? Developers themselves knowing how to connect to and read from a production database? Other people on a shared hosting server reading your files?

DanRz Member

DanRz

Posted
  • Author
Posted

I have a php application I made…

Currently I use phpdotenv https://github.com/vlucas/phpdotenv to store my creds in a .env file in the root directory…

It works, however twice now the AWS SES creds have been stolen and used to send mass emails…

Im not sure how they’re finding the information but they are… so I’m just trying to figure out how to store them better to avoid them getting into the wrong hands…

  • Solution
kicken Prolific Member

kicken

Posted
  • Solution
Posted
1 hour ago, DanRz said:

Im not sure how they’re finding the information but they are

Try browsing directly to your .env file on your website, for example http://example.com/.env and see if the file contents comes up.  If it does, then that's your problem.

Ideally you'd store your .env file outside of your webroot so it's inaccessible via any URL.  If you're hosting provider does not allow for that, then you need to configure the webserver to not allow access to your .env file via .htaccess or some similar mechanism.  If you can't do that, then the next best option is to store the credentials as PHP code in a .php file so even if someone does try and load the URL they won't see the PHP code.

 

DanRz Member

DanRz

Posted
  • Author
Posted
18 hours ago, kicken said:

Try browsing directly to your .env file on your website, for example http://example.com/.env and see if the file contents comes up.  If it does, then that's your problem.

Ideally you'd store your .env file outside of your webroot so it's inaccessible via any URL.  If you're hosting provider does not allow for that, then you need to configure the webserver to not allow access to your .env file via .htaccess or some similar mechanism.  If you can't do that, then the next best option is to store the credentials as PHP code in a .php file so even if someone does try and load the URL they won't see the PHP code.

 

Thanks so much! I never thought of this bit that indeed was the problem... an oversight I think!!

I have now secured it with htaccess so its Forbidden now.

Thanks for your help!

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.