Installing Laravel in a Subfolder? Hide your .env file.
If you are new to Laravel you might not be familiar with its directory structure and the reasons why it’s setup the way it is. If you look at the main repository it’s setup like this, and the documentation covers what each of these folders handles.
What is important here is the “public” folder. That is the ONLY directory you want to be exposed through the web. Everything else should be outside of your web root, this way people can’t access any of your important files through the browser.
As an example I found a site where they had a copy of Laravel installed on a domain like this:
site.com/subfolder/public/
Inside the “subfolder,” they left the original Laravel structure, so all you have to do is change the URL to site.com/subfolder/.env to see a lot of important data like the database connection. Not only this but the .git files as well that can expose other sensitive data.
If you have Laravel installed in a subfolder, please check that none of the dot files or the other directories are accessible through the browser, and if they are you can hide them by moving the out of the web root, or using .htaccess on Apache, or Nginx config. The best option is to move them above the web root and here is how you can setup Laravel in that situation.
Installing Laravel in a Subfolder
To install Laravel in a subfolder let’s walk through a typical server setup to demonstrate it. Typically the path to the web root is something like this, but it can vary depending on your host:
/var/www/html
With this path, the “html” folder is the web root, and your domain will typically point here. Now, let’s say you are building a blog and you create /var/www/html/blog. All the contents of your Laravel “public” folder would go in this folder. For example:
/var/www/html/blog/css/
/var/www/html/blog/js/
/var/www/html/blog/index.php
You will then put the rest of your Laravel folders and files in another place outside of “html”, for example:
/var/www/laravel/
/var/www/laravel/app/
/var/www/laravel/bootstrap/
/var/www/laravel/.env
/var/www/laravel/...
Then for the final steps modify your “blog/index.php” file and adjust the following two paths.
// blog/index.php change to point to /var/www/laravel/
require __DIR__.'/../bootstrap/autoload.php';
$app = require_once __DIR__.'/../bootstrap/app.php';
This will keep everything outside your web root, make your install more secure, and prevent unauthorized access to import items.
Filed in: Laravel Tutorials
Enjoy this? Get Laravel News delivered straight to your inbox every Sunday.
No Spam, ever. We'll never share your email address and you can opt out at any time.
Newsletter
Join the weekly newsletter and never miss out on new tips, tutorials, and more.
Laravel Jobs
- Mid / Sen. Software Engineer
-
Clearwater, FL
ShineOn - Remote PHP / Laravel Developer
-
Remote
SpringboardVR - Senior PHP/Laravel Developer: Your Dream Work Environment
-
Remote
iPhone Photography School - Senior Laravel Developer
-
Leidseplein, Amsterdam
Orderchamp.com - PHP Developer
-
Remote
X-Team - Senior Laravel Developer (Canada and India)
-
London, Ontario, Canada
Factory Bucket Inc. - Laravel, PHP, PostgreSQL, Neo4J Developer
-
Pune, India (intern in Denver, CO)
Life AI
Creating Alerts in Understand.io
Alerts can be created in Understand.io to automatically send a variety of notifications when something important take…
Empathy: the Cornerstone of Your Company Culture
Hard skills change constantly. Every year, developers must level up their skills to keep pace with the ever-changing…