Closed martin-sweeny closed 2 years ago
Hello,
Default .env file does not include anything that would affect security. It's completely safe to use the default .env file without any changes.
This also makes self-hosting much easier for people without any Linux experience.
Thanks again for your support.
Well that's patently false and you're willfully risking your own infra and your customers' data. Can't say I didn't warn you
This is wildly insecure and against standard practice.
https://stackoverflow.com/questions/43664565/why-do-people-put-the-env-into-gitignore
https://platform.sh/blog/2021/we-need-to-talk-about-the-env/
Which brings up the most important thing to remember about .env files: they do not belong in Git.
Some developers put the .env file in the public folder with sensitive data and sometimes even by mistake as they use this .env file for development and then push it to Github.
In this project, I don't use any sensitive data that could infect the security.
I can rename the ".env" file to the ".env.example" and remove default passwords from it. As this project is meant for non-technical users too and if I provide the command "cp .env.example .env" users would deploy the database without any root and user password, which would potentially make it even worse, than providing a default password.
Edited: I should probably make an "installer" that would ask the user for information and automatically fill the .env file based on information received.
The README would include how to set up the env file. I think your approach with maybe an init script would be simple enough, and could perform the rename operation
I have renamed .env file to .env.example and removed all passwords from it, so advanced users could still just edit the file and for users that just copy-paste everything from Github it would open them an installer, that would ask them questions / validate them and write to newly created .env file.
I'm already working on the installer.
Why didn't you just accept my PR lmao
Done 😉
jesus christ i can't believe i'm doing this