How to prevent Laravel application SMTPs from being hijacked

Overview

Lately, more and more SMTP credentials of Laravel applications have been used to send spam emails to the public.

This is not a loophole in the Laravel application but rather a result of incorrect setups on the developer’s side when they hurry to deploy the newly developed application.

In this shot, we will learn how to prevent our application SMTP credentials from being hijacked.

1. Make your .env file inaccessible.

Avoid installing the Laravel application in a subdirectory, but remove the .env file or set up a solid .htaccess to enforce accessibility rules.

Remember that the .env files have some config variables, including SMTP configuration, so you will want to guard the .env file.

2. Turn off debug mode.

Even after we hide the .env file or make it inaccessible, we still need to turn off the debug mode, as that throws sensitive error details of the application. The debug mode throws the details of SMTP configuration when used to rectify an application email. We can use the following code to turn off the debug mode of the application from the .env file.

APP_DEBUG=false

Normally, this option is true while in development mode.