Usually the norm is to store database, cloud storage creds etc in env vars. Laravel now even has that support out of the box. But how secure is it? What if some 3rd party code dumps your env vars and sends it to your server (can be for reasons other than getting your DB creds)?

For example, say you install a package which communicates to a service to determine if the user comments on your site/app are spam or not. Now spam check is done using various factors, each accounting for a part of total score. So what if the package is dumping the env vars (its aim is to get the referrer, remote IP etc) and sending them to the 3rd party service for analyzing it. And lo behold, your sensitive stuff went with it all as well.

Do you inspect every line of code of every package you install? Most people wouldn't do that I think.

Thoughts?

I store them in env vars (when I dont want it going into Git coz I plan to share code or open source it) and in config files (when I know the code is going to remain eyes only).

I'm not really hung up on any one way, just would like to know what others think of it & is there a better way.