Environment variables to pass in global settings/configurations are a thing:

  • Most hosters have some sort of support for them and expose the DB settings as such, for example
  • It really explitely defined to be environment specific.
  • Many systems have .env files to share those.




Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes


dawehner created an issue. See original summary.

dawehner’s picture

moshe weitzman’s picture

Issue summary: View changes

Added a Pro about security. It links to

Wim Leers’s picture

Thanks for proposing this, @dawehner! Curious what people more knowledgeable than me wrt server security have to say :) I like the apparent simplicity!

dawehner’s picture

Issue summary: View changes
dawehner’s picture

I added some blog post with some criticism.

mpdonadio’s picture

How crazy / insecure would be be to totally pull settings.php from environment, which can also handle overrides already?

shrop’s picture

This topic reminded me of this article I read a while back that speaks to security of env vars. It appears that a few people in the article have varying opinions, but worth knowing some considerations around this topic.

This one has some good tips on securing env vars:

For this article already mentioned in the issue description, I would like to see documentation around better ways to mange keys and other "secrets" than placing them in env vars.