Welcome Guest, Not a member yet? Register   Sign In
data in .ENV on risk? Security best practices
#1

(This post was last modified: 08-16-2024, 01:02 AM by JanFromHamburg.)

What is your opinion, how save are the data in our .ENV file?
What additional security measures do you use aside the CI4 standards?


Risky Biz News:

A threat actor is hacking and extorting companies that have misconfigured their cloud server infrastructure. The data extortion campaign has been taking place since earlier this year and involves a large-scale scan of the internet for companies that have exposed their environment variable files. Also known as .ENV, these files act as a centralized location for storing configuration data by multiple software solutions. Security firm Palo Alto Network says the attacker has been scanning the internet for ENV files, extracting login credentials, and accessing cloud servers. The attacker has allegedly scanned more than 230 million unique servers and successfully retrieved 90,000 environment variables—with around 7,000 of these being access keys associated with cloud services. PAN researchers say that in some cases, the attacker accessed cloud servers, exfiltrated data, deleted the original files, and then asked for a ransom to return the stolen documents.

https://unit42.paloaltonetworks.com/larg....risky.biz
Reply
#2

I think the .ENV file is just for use on local development environment...
The settings for production would must be on the internal config files...
Or maybe use a Secrets Manager instead of .ENV files?
Reply
#3

If you configure your server according to the User Guide
- https://codeigniter.com/user_guide/insta...nning.html
- https://codeigniter.com/user_guide/insta...g-services
The .env file is not accessible via web.

But if there is a vulnerability that an attacker can read the .env file, it is not secure.
Reply
#4

(08-16-2024, 04:28 AM)FlavioSuar Wrote: I think the .ENV file is just for use on local development environment...
The settings for production would must be on the internal config files...

No, you should not set e.g., database passwords in the config files.
Because config files are a part of an app source code that is shared with developers.

So secrets for production should not set in config files, should be set in environment variable or some other places.

But you could set environment variables with apache/nginx config.
See https://codeigniter.com/user_guide/gener...tml#apache
Reply




Theme © iAndrew 2016 - Forum software by © MyBB