Description
The .env.example file sets SESSION_ENCRYPT=false as the default value. While this is fine for local development, it poses a security risk if developers copy this file to production without changing this setting.
File: .env.example (line 30)
Impact
Unencrypted session data could expose sensitive user information if:
- The session storage is compromised
- Session data is logged or cached inappropriately
- A developer forgets to enable encryption in production
Recommendation
Either:
- Change the default to
true in .env.example
- Add a prominent comment warning developers to enable this in production
- Add validation in
AppServiceProvider that fails loudly if SESSION_ENCRYPT=false in production
Example validation:
public function boot(): void
{
if ($this->app->environment('production') && !config('session.encrypt')) {
throw new RuntimeException('SESSION_ENCRYPT must be true in production');
}
}References
Description
The
.env.examplefile setsSESSION_ENCRYPT=falseas the default value. While this is fine for local development, it poses a security risk if developers copy this file to production without changing this setting.File:
.env.example(line 30)Impact
Unencrypted session data could expose sensitive user information if:
Recommendation
Either:
truein.env.exampleAppServiceProviderthat fails loudly ifSESSION_ENCRYPT=falsein productionExample validation:
References
docs/security.mdalready recommendsSESSION_ENCRYPT=truefor production