I am developing in CakePHP and it uses a .env file in config - below is a snippet.
It specifically says "having this file in production is considered a security risk."
I understand about not committing an .env to git/version control, so as not to expose secrets to the public; and I also understand about not including secret keys directly in source code; but I don't understand how we can then use .env variables but it's a security risk to include in production? It seems counterintuitive.
I have scanned a bunch of stackoverflow questions and articles and I still don't understand what the correct best practice is?
Some sources say ensure the file is outside of public_html and not accessible - fine - others say you should set the EVs on the host?
Edit - there's also this post to set it using SetEnv in apache .htaccess - but how is this any better than using a .env file? if both are out of the document root.
#!/usr/bin/env bash
# Used as a default to seed config/.env which
# enables you to use environment variables to configure
# the aspects of your application that vary by
# environment.
#
# Having this file in production is considered a **SECURITY RISK** and also decreases
# the boostrap performance of your application.
#
# To use this file, first copy it into `config/.env`. Also ensure the related
# code block for loading this file is uncommented in `config/boostrap.php`
#
# In development .env files are parsed by PHP
# and set into the environment. This provides a simpler
# development workflow over standard environment variables.
export APP_NAME="__APP_NAME__"
export DEBUG="true"
export APP_ENCODING="UTF-8"
export APP_DEFAULT_LOCALE="en_US"
export APP_DEFAULT_TIMEZONE="UTC"
export SECURITY_SALT="__SALT__"
