# Configuration

**Environment Variables**

**You MUST put sensitive information into .env files**

Use .env files to store any secure information and retrieve it via **env** function. There should be no instance on which you will put it inside models/controllers and commit it to Git.

Good

// .env

`API_HOST=https://example.com/api`

`API_USERNAME=myuser`

`API_PASSWORD=secret`

// access the value from app/config.php file

`return [`

 `...`

 `'api_host' => env('API_HOST', 'https://defaultdomain.com')`

 `'api_username' => env('API_USER', 'defaultuser')`

 `'api_password' => env('API_USER', 'defaultpassword')`

 `...`

`]`

Bad

`define('API_HOST', 'https://defaultdomain.com');`

`define('API_USERNAME', 'defaultuser');`

`define('API_PASSWORD', 'defaultpassword');`

`class DomainController extends Controller`

`{`

 `public function index()`

 `{`

 `$api_username`

 `}`

**your application key MUST be set. This is the APP\_KEY variable in your .env file. You can generate one via**

`php artisan key:generate`

**Package Configuration**

**Custom or Package configuration filename MUST be in snake\_case**

Good

`config/my_config.php`

Bad

`config/MyConfig.php`

**Config and language files indexes SHOULD be in snake\_case**

Good

// config/myconfig.php

`return [`

 `'my_api' => [`

 `'domain' => env('API_DOMAIN'),`

 `'secret' => env('API_SECRET'),`

 `],`

Bad

// config/myconfig.php

`return [`

 `'MyApi' => [`

 `'DOMAIN' => env('API_DOMAIN'),`

 `'SECRET' => env('API_SECRET'),`

 `],`

*The best way to figure out if you have implemented best-practice in configuring your app, is if the codebase could be made open source at any moment without compromising any credentials*