Environment Variables

You MUST put sensitive information into .env files

Use .env files to store any secure information and retrieve it via env function. There should be no instance on which you will put it inside models/controllers and commit it to Git.

Good

// .env

API_HOST=https://example.com/api

API_USERNAME=myuser

API_PASSWORD=secret

// access the value from app/config.php file

return [

...

'api_host' => env('API_HOST', 'https://defaultdomain.com')

'api_username' => env('API_USER', 'defaultuser')

'api_password' => env('API_USER', 'defaultpassword')

...

]

Bad

define('API_HOST', 'https://defaultdomain.com');

define('API_USERNAME', 'defaultuser');

define('API_PASSWORD', 'defaultpassword');

class DomainController extends Controller

{

public function index()

{

$api_username

}

your application key MUST be set. This is the APP_KEY variable in your .env file. You can generate one via

php artisan key:generate

Package Configuration

Custom or Package configuration filename MUST be in snake_case

Good

config/my_config.php

Bad

config/MyConfig.php

Config and language files indexes SHOULD be in snake_case

Good

// config/myconfig.php

return [

'my_api' => [

'domain' => env('API_DOMAIN'),

'secret' => env('API_SECRET'),

],

Bad

// config/myconfig.php

return [

'MyApi' => [

'DOMAIN' => env('API_DOMAIN'),

'SECRET' => env('API_SECRET'),

],

The best way to figure out if you have implemented best-practice in configuring your app, is if the codebase could be made open source at any moment without compromising any credentials