We have a new security team at work. I’m working on a new site using bedrock and they’ve flagged the use of environment variables for passwords as a no-no.
To be honest, I was kind of and started looking into it myself. After reading some, the arguments against the practice seem pretty sound.
I searched here but couldn’t find any discussion on the subject (though I probably just didn’t enter the correct incantation into the search box).
Would be interested to hear if this has been discussed by the roots team/community. If so, and continuing to use ENV vars was decided upon, I’d be interested to hear the arguments in favor. Perhaps I could use them to convince our security team to let me be.
Yeah, they have some problems. I’ve personally thought it’s slightly overblown but I guess ideally we’d avoid them.
I planed to switch from
.env to an INI file but for various reasons abandoned that. Anyway, I’m still open to alternatives.
I don’t like secrets in environment variables either.
Thanks for the thoughts. Good to know about FPM. Don’t think that’ll convince them to leave it be without a crazy review of possible child processes but still good to know!
So, yeah, I’ve gone ahead and moved the config secrets to
config/environments/[ENV_NAME]-local.php files. Not quite as tidy but works fine.