Stephen I would like your opinion on the security of plain text creds on an the .env file. Even when you use a key vault to store credentials instead of the .env when the configuration gets cached those credentials will be stored on /boostrap/cache/config
Answered this one on Twitter, but so it's here too:
I don't have any problems with creds stored in the .env file. The nature of PHP means you don't really have any other choice anyway (as you pointed out), and if someone can read that file, they've already got too much access to your server.
You're adding needless complexity by trying to protect them elsewhere. And so many people waste time on methods to commit or manage creds locally, which I think introduces actual risks.
Instead, keep them only on prod and don't store them anywhere else.
Follow up:
"Absolutely agree with the complexity. I am trying to figure out a balanced approached for clients bothering me about creds being on the .env"
Massively over-quote the work involved in moving to a different solution? 🤣
That's a tough one. It's such a common recommendation, but in my professional opinion, it's complete rubbish. You're much better off focusing on securing the server itself than wasting time with creds.
