Environment Variables Considered Harmful (?)

We have a new security team at work. I’m working on a new site using bedrock and they’ve flagged the use of environment variables for passwords as a no-no.

To be honest, I was kind of :rolling_eyes: and started looking into it myself. After reading some, the arguments against the practice seem pretty sound.

I searched here but couldn’t find any discussion on the subject (though I probably just didn’t enter the correct incantation into the search box).

Would be interested to hear if this has been discussed by the roots team/community. If so, and continuing to use ENV vars was decided upon, I’d be interested to hear the arguments in favor. Perhaps I could use them to convince our security team to let me be. :slight_smile:

Yeah, they have some problems. I’ve personally thought it’s slightly overblown but I guess ideally we’d avoid them.

I planed to switch from .env to an INI file but for various reasons abandoned that. Anyway, I’m still open to alternatives.

I don’t like secrets in environment variables either.

Some considerations:

1 Like

Thanks for the thoughts. Good to know about FPM. Don’t think that’ll convince them to leave it be without a crazy review of possible child processes but still good to know!

So, yeah, I’ve gone ahead and moved the config secrets to config/environments/[ENV_NAME]-local.php files. Not quite as tidy but works fine.