The app/etc/env.php file contains sensitive credentials, including database and encryption keys. It should be restricted to mode 640 or stricter, owned by the correct application user and group. Insecure permissions may expose secrets to unauthorized local users or processes.
The file app/etc/env.php stores very sensitive information. It includes database logins, encryption keys, and other secrets.
If this file has weak permissions, any local user or process could read it. Attackers may then use those secrets to take over the database,
steal customer data, or gain full control of the Magento store.
Strong file permissions limit access to only the web server user and trusted group. This reduces the chance that secrets leak through
misconfigured hosting, shared servers, or malicious scripts running on the same machine. Protecting env.php is one of the
most important steps to keep the store secure.
# Check permissions, owner and group
stat -c "%a %U:%G %n" /var/www/magento/app/etc/env.php
# Good result should be 640 or stricter (owner can read/write, group read, others none)www-data:www-data.chmod 640 /var/www/magento/app/etc/env.php# Too open, unsafe
-rw-r--r-- 1 www-data www-data 1234 Jan 1 10:00 env.php# Safe, only owner and group can read
-rw-r----- 1 www-data www-data 1234 Jan 1 10:00 env.php