Installing Laravel in a Subfolder? Hide your .env file.


March 4th, 2017

Installing Laravel in a Subfolder? Hide your .env file.

If you are new to Laravel you might not be familiar with its directory structure and the reasons why it’s setup the way it is. If you look at the main repository it’s setup like this, and the documentation covers what each of these folders handles.

What is important here is the “public” folder. That is the ONLY directory you want to be exposed through the web. Everything else should be outside of your web root, this way people can’t access any of your important files through the browser.

As an example I found a site where they had a copy of Laravel installed on a domain like this:

Inside the “subfolder,” they left the original Laravel structure, so all you have to do is change the URL to to see a lot of important data like the database connection. Not only this but the .git files as well that can expose other sensitive data.

If you have Laravel installed in a subfolder, please check that none of the dot files or the other directories are accessible through the browser, and if they are you can hide them by moving the out of the web root, or using .htaccess on Apache, or Nginx config. The best option is to move them above the web root and here is how you can setup Laravel in that situation.

Installing Laravel in a Subfolder

To install Laravel in a subfolder let’s walk through a typical server setup to demonstrate it. Typically the path to the web root is something like this, but it can vary depending on your host:


With this path, the “html” folder is the web root, and your domain will typically point here. Now, let’s say you are building a blog and you create /var/www/html/blog. All the contents of your Laravel “public” folder would go in this folder. For example:


You will then put the rest of your Laravel folders and files in another place outside of “html”, for example:


Then for the final steps modify your “blog/index.php” file and adjust the following two paths.

// blog/index.php change to point to /var/www/laravel/
require __DIR__.'/../bootstrap/autoload.php';
$app = require_once __DIR__.'/../bootstrap/app.php';

This will keep everything outside your web root, make your install more secure, and prevent unauthorized access to import items.

Filed in:

Eric L. Barnes

Eric is the creator of Laravel News and has been covering Laravel since 2012.