Environments — .env templates

One .env file per stage. They share the same shape, but a handful of keys flip as you move from your laptop to a live server — get those wrong and you either leak secrets or send real emails from a test box. The tabs below give you all three full files; the table first shows the keys that actually differ.

What changes between stages

These are the keys to double-check every time. Everything else is broadly the same across files.

Key	Local	Staging	Production
APP_ENV	local	staging	production
APP_DEBUG	true	false	false
APP_URL	http://your-project.test	https://staging.your-domain.com	https://your-domain.com
LOG_LEVEL	debug	debug	error
LOG_STACK	single	daily	daily
MAIL_MAILER	log (no real send)	smtp (Mailtrap)	smtp (live provider)
SESSION_ENCRYPT	false	false	true
SESSION_SECURE_COOKIE	—	true	true
Payment keys	—	pk_test_ / sk_test_	pk_live_ / sk_live_
TELESCOPE_ENABLED	true	true	false
DEBUGBAR_ENABLED	true	false	false

The one that bites everyone

APP_DEBUG=false in production is non-negotiable. With debug on, a stack trace can expose your DB password, API keys, and source paths to anyone who triggers an error. The production deployer enforces this, but set it correctly in the file too.

A second gotcha shows up only once the file lives on a real server, where passwords and tokens contain special characters.

Quote your values on a server

On staging and production, wrap every value in double quotes. Characters like #, $, &, ^, [, +, *, ;, and spaces break .env parsing without quotes — DB_PASSWORD=p@ss#word silently truncates to p@ss. Write DB_PASSWORD="p@ss#word" instead.

The three files

Each one carries a self-check at the bottom. Search for your- (local/staging) or the <...> markers (production) and replace.

Local

.env (local development)

# ============================================================================
# 📋 LARAVEL LOCAL DEVELOPMENT ENVIRONMENT TEMPLATE
# ============================================================================
# Purpose: Local development environment configuration
# Server: Laravel Herd / Valet / Docker / MAMP / XAMPP
# Usage: Copy to project root as ".env"
# ============================================================================
#
# 🎯 LOCAL DEV CHARACTERISTICS:
# - APP_DEBUG=true (show detailed errors)
# - LOG_LEVEL=debug (verbose logging)
# - MAIL_MAILER=log (no real emails sent)
# - QUEUE_CONNECTION=sync (immediate execution)
# - Cache/Session use file driver (simple, no Redis needed)
#
# 💡 CUSTOMIZE: Search for "your-" and replace with your values
# ============================================================================

# App Identity
APP_NAME="Your App Name"
# Domain: your-project.test (Herd) or localhost:8000 (artisan serve)
APP_URL=http://your-project.test

# Environment Settings
APP_ENV=local
APP_DEBUG=true
APP_TIMEZONE=UTC

# Security Key (generated via: php artisan key:generate)
APP_KEY=

# Localization
APP_LOCALE=en
APP_FALLBACK_LOCALE=en
APP_FAKER_LOCALE=en_US

# Logging — Local: show everything for debugging
LOG_CHANNEL=stack
LOG_STACK=single
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug

# Database — Local MySQL (Herd/MAMP): root with no password on localhost
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=your_project_local
DB_USERNAME=root
DB_PASSWORD=

# OPTIONAL: SQLite for simple local dev
# DB_CONNECTION=sqlite
# DB_DATABASE=/absolute/path/to/database.sqlite

# Cache & Session — Local: use 'file' driver (no extra services)
CACHE_STORE=file
CACHE_PREFIX=

SESSION_DRIVER=file
SESSION_LIFETIME=120
SESSION_ENCRYPT=false
SESSION_PATH=/
SESSION_DOMAIN=null

# Queue & Broadcasting — Local: 'sync' runs jobs immediately
QUEUE_CONNECTION=sync
BROADCAST_CONNECTION=log
FILESYSTEM_DISK=local

# Redis (Optional for Local)
REDIS_CLIENT=phpredis
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379

# Mail — Local: 'log' driver writes emails to storage/logs instead of sending
MAIL_MAILER=log
MAIL_HOST=127.0.0.1
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS="hello@your-project.test"
MAIL_FROM_NAME="${APP_NAME}"

# AWS / S3 (Optional) — use local storage for dev, S3 only in staging/production
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=
AWS_USE_PATH_STYLE_ENDPOINT=false

# Pusher / Websockets (Optional)
PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_HOST=
PUSHER_PORT=443
PUSHER_SCHEME=https
PUSHER_APP_CLUSTER=mt1

VITE_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
VITE_PUSHER_HOST="${PUSHER_HOST}"
VITE_PUSHER_PORT="${PUSHER_PORT}"
VITE_PUSHER_SCHEME="${PUSHER_SCHEME}"
VITE_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

# Vite / Frontend build
VITE_APP_NAME="${APP_NAME}"

# Debug tooling (local only)
TELESCOPE_ENABLED=true
DEBUGBAR_ENABLED=true

# ============================================================================
# ✅ SETUP CHECKLIST
# ============================================================================
# [ ] 1. Copy this file to project root as ".env"
# [ ] 2. Run: php artisan key:generate
# [ ] 3. Create database: mysql -u root -e "CREATE DATABASE your_project_local"
# [ ] 4. Run: php artisan migrate
# [ ] 5. Update APP_NAME, APP_URL, DB_DATABASE with your project values
# [ ] 6. Test: php artisan serve OR access via Herd (your-project.test)
# ============================================================================

Staging

.env (staging server)

# ============================================================================
# 📋 LARAVEL STAGING ENVIRONMENT TEMPLATE
# ============================================================================
# Purpose: Pre-production testing environment
# Domain: staging.your-domain.com (or subdomain)
# Usage: Copy to staging server as ".env"
# ============================================================================
#
# 🎯 STAGING CHARACTERISTICS:
# - APP_DEBUG=true (see errors, but consider false for client demos)
# - LOG_LEVEL=debug (capture everything for debugging)
# - Real email provider OR Mailtrap (no log driver!)
# - Tests payment integrations in sandbox/test mode
#
# ⚠️ ALWAYS wrap ALL values in double quotes!
# Characters like #, $, &, ^, [, +, *, ;, spaces break .env parsing without quotes.
#
# 💡 CUSTOMIZE: Search for "your-" and replace with your values
# ============================================================================

# App Identity — clearly mark as staging
APP_NAME="Your App - Staging"
APP_URL=https://staging.your-domain.com

# Environment Settings
APP_ENV=staging
APP_DEBUG=true
APP_TIMEZONE=UTC

# Security Key (generate unique key for staging!)
# Run: php artisan key:generate --show
APP_KEY=

# Localization
APP_LOCALE=en
APP_FALLBACK_LOCALE=en
APP_FAKER_LOCALE=en_US

# Logging — Staging: full debugging; 'daily' rotates logs automatically
LOG_CHANNEL=stack
LOG_STACK=daily
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug

# Database — use a DEDICATED staging database, NEVER share with production
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=your_staging_database
DB_USERNAME=your_staging_db_user
DB_PASSWORD=<STAGING_DB_PASSWORD>

# Cache & Session — file-based works on all shared hosting
# ⚠️ FIRST INSTALL: keep 'file' — database tables don't exist yet
CACHE_STORE=file
CACHE_PREFIX=staging_

SESSION_DRIVER=file
SESSION_LIFETIME=120
SESSION_ENCRYPT=false
SESSION_PATH=/
SESSION_DOMAIN=null

# Queue & Broadcasting — 'sync' until migrations create the jobs table
QUEUE_CONNECTION=sync
BROADCAST_CONNECTION=log
FILESYSTEM_DISK=public

# Redis (Optional — most shared hosting doesn't have it; leave commented)
# REDIS_CLIENT=phpredis
# REDIS_HOST=127.0.0.1
# REDIS_PASSWORD=null
# REDIS_PORT=6379
# When Redis IS available, switch CACHE_STORE / SESSION_DRIVER / QUEUE_CONNECTION to redis

# Mail — Staging: Mailtrap RECOMMENDED (emails don't reach real users)
MAIL_MAILER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=your-mailtrap-username
MAIL_PASSWORD=your-mailtrap-password
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDRESS="staging@your-domain.com"
MAIL_FROM_NAME="${APP_NAME}"

# AWS / S3 — dedicated staging bucket; never use production credentials
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=your-project-staging
AWS_USE_PATH_STYLE_ENDPOINT=false

# Pusher / Websockets
PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_HOST=
PUSHER_PORT=443
PUSHER_SCHEME=https
PUSHER_APP_CLUSTER=mt1

VITE_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
VITE_PUSHER_HOST="${PUSHER_HOST}"
VITE_PUSHER_PORT="${PUSHER_PORT}"
VITE_PUSHER_SCHEME="${PUSHER_SCHEME}"
VITE_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

VITE_APP_NAME="${APP_NAME}"

# Security — staging should mirror production
SESSION_SECURE_COOKIE=true
SESSION_HTTP_ONLY=true
SESSION_SAME_SITE=lax

# Integrations — ⚠️ use TEST/SANDBOX keys, NOT production keys!
SENTRY_LARAVEL_DSN=
SENTRY_TRACES_SAMPLE_RATE=1.0
SENTRY_ENVIRONMENT=staging

# Stripe TEST keys start with sk_test_ and pk_test_
STRIPE_KEY=pk_test_xxxxxxxxxxxx
STRIPE_SECRET=sk_test_xxxxxxxxxxxx
STRIPE_WEBHOOK_SECRET=whsec_xxxxxxxxxxxx

# Debug tooling (disable Debugbar for client demos)
TELESCOPE_ENABLED=true
DEBUGBAR_ENABLED=false

# ============================================================================
# ✅ STAGING SETUP CHECKLIST
# ============================================================================
# [ ] 1. Create staging database on server
# [ ] 2. Copy this file to staging server as ".env"
# [ ] 3. Generate unique APP_KEY: php artisan key:generate
# [ ] 4. Update all "your-" placeholders
# [ ] 5. Verify HTTPS is working
# [ ] 6. Set up Mailtrap for email testing
# [ ] 7. Use TEST API keys for payment providers
# [ ] 8. Run: php artisan migrate
# [ ] 9. Test critical flows before production deploy
# ============================================================================

Production

.env (production server)

# ============================================================================
# 📋 LARAVEL PRODUCTION ENVIRONMENT TEMPLATE
# ============================================================================
# Purpose: Live production environment configuration
# Domain: your-domain.com (primary production site)
# Usage: Copy to production server as ".env"
# ============================================================================
#
# 🚨 PRODUCTION CRITICAL SETTINGS:
# - APP_DEBUG=false (NEVER true in production - exposes secrets!)
# - APP_ENV=production (enables production optimizations)
# - LOG_LEVEL=error (only log errors, not debug info)
# - All secrets must be strong, unique passwords
# - HTTPS enforced via SESSION_SECURE_COOKIE=true
#
# ⚠️ ALWAYS wrap ALL values in double quotes!
# Example: DB_PASSWORD=p@ss#w&rd$1 silently truncates to p@ss
# Correct: DB_PASSWORD="p@ss#w&rd$1"
#
# ⚠️ SECURITY WARNINGS:
# - NEVER commit this file to Git with real secrets
# - Rotate passwords/API keys quarterly
# - Use separate database user with limited privileges
#
# 💡 CUSTOMIZE: Search for "<" and ">" placeholders
# ============================================================================

# App Identity
APP_NAME="Your App Name"
APP_URL=https://your-domain.com

# Environment Settings — ⚠️ APP_DEBUG must be FALSE!
APP_ENV=production
APP_DEBUG=false
APP_TIMEZONE=UTC

# Security Key (generate unique for production!)
# Run: php artisan key:generate --show — NEVER share or commit this key
APP_KEY=

# Localization
APP_LOCALE=en
APP_FALLBACK_LOCALE=en
APP_FAKER_LOCALE=en_US

# Maintenance mode driver
APP_MAINTENANCE_DRIVER=file
APP_MAINTENANCE_SECRET=<random-secret-for-maintenance-bypass>

# Logging — Production: only errors and above
LOG_CHANNEL=stack
LOG_STACK=daily
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=error

# Database — use a dedicated user (not root!), strong 32+ char password
DB_CONNECTION=mysql
DB_HOST=localhost
DB_PORT=3306
DB_DATABASE=<production_database_name>
DB_USERNAME=<production_database_user>
DB_PASSWORD=<STRONG_PRODUCTION_DB_PASSWORD>

# Cache & Session
# ⚠️ FIRST INSTALL: keep 'file' — tables don't exist yet. Upgrade later.
# Performance tiers (best→worst): redis > database > file
CACHE_STORE=file
CACHE_PREFIX=prod_

SESSION_DRIVER=file
SESSION_LIFETIME=120
SESSION_ENCRYPT=true
SESSION_PATH=/
SESSION_DOMAIN=null

# Queue & Broadcasting — 'sync' until migrations create the jobs table
QUEUE_CONNECTION=sync
BROADCAST_CONNECTION=log
FILESYSTEM_DISK=public

# Redis (Optional — enable when available)
# REDIS_CLIENT=phpredis
# REDIS_HOST=127.0.0.1
# REDIS_PASSWORD=<REDIS_PASSWORD_IF_SET>
# REDIS_PORT=6379
# When Redis IS available, switch CACHE_STORE / SESSION_DRIVER / QUEUE_CONNECTION to redis

# Mail — Production: reliable transactional provider; ⚠️ NEVER 'log' driver
MAIL_MAILER=smtp
MAIL_HOST=[SMTP_HOST]
MAIL_PORT=[SMTP_PORT]
MAIL_USERNAME=[MAIL_USERNAME]
MAIL_PASSWORD=[MAIL_PASSWORD]
MAIL_ENCRYPTION=[ssl_or_tls]
MAIL_FROM_ADDRESS="noreply@[DOMAIN]"
MAIL_FROM_NAME="${APP_NAME}"
# Providers: Titan smtp.titan.email:465 ssl · SendGrid smtp.sendgrid.net:587 tls · Mailgun smtp.mailgun.org:587 tls

# AWS / S3 — IAM user with minimal permissions
AWS_ACCESS_KEY_ID=<your-aws-access-key>
AWS_SECRET_ACCESS_KEY=<your-aws-secret-key>
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=<your-production-bucket>
AWS_USE_PATH_STYLE_ENDPOINT=false

# Pusher / Websockets
PUSHER_APP_ID=<your-pusher-app-id>
PUSHER_APP_KEY=<your-pusher-app-key>
PUSHER_APP_SECRET=<your-pusher-app-secret>
PUSHER_HOST=
PUSHER_PORT=443
PUSHER_SCHEME=https
PUSHER_APP_CLUSTER=mt1

VITE_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
VITE_PUSHER_HOST="${PUSHER_HOST}"
VITE_PUSHER_PORT="${PUSHER_PORT}"
VITE_PUSHER_SCHEME="${PUSHER_SCHEME}"
VITE_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"

VITE_APP_NAME="${APP_NAME}"

# Security — ALL of these should be enabled in production!
SESSION_SECURE_COOKIE=true
SESSION_HTTP_ONLY=true
SESSION_SAME_SITE=lax
BCRYPT_ROUNDS=12

# Integrations — ⚠️ use LIVE/PRODUCTION keys only!
SENTRY_LARAVEL_DSN=https://xxx@xxx.ingest.sentry.io/xxx
SENTRY_TRACES_SAMPLE_RATE=0.1
SENTRY_ENVIRONMENT=production

# Stripe LIVE keys start with sk_live_ and pk_live_
STRIPE_KEY=pk_live_xxxxxxxxxxxx
STRIPE_SECRET=sk_live_xxxxxxxxxxxx
STRIPE_WEBHOOK_SECRET=whsec_xxxxxxxxxxxx

GOOGLE_ANALYTICS_ID=G-XXXXXXXXXX

# Production-only settings — disable debug tooling, enable optimizations
TELESCOPE_ENABLED=false
DEBUGBAR_ENABLED=false
OPCACHE_ENABLED=true
RATE_LIMIT_ENABLED=true

# ============================================================================
# ✅ PRODUCTION DEPLOYMENT CHECKLIST
# ============================================================================
# [ ] 1. APP_DEBUG is FALSE (⚠️ CRITICAL!)
# [ ] 2. APP_ENV is 'production'
# [ ] 3. Unique APP_KEY generated for production
# [ ] 4. Strong database password (32+ characters)
# [ ] 5. HTTPS enabled and working
# [ ] 6. SESSION_SECURE_COOKIE is TRUE
# [ ] 7. Using LIVE API keys (not test/sandbox)
# [ ] 8. Error tracking (Sentry) configured
# [ ] 9. Email delivery tested
# [ ] 10. Backups configured and tested
# [ ] 11. php artisan config:cache (after ALL changes)
# [ ] 12. php artisan route:cache
# [ ] 13. php artisan view:cache
# [ ] 14. Queue workers running via Supervisor
# ============================================================================

First install vs. later

On a fresh server, keep CACHE_STORE, SESSION_DRIVER, and QUEUE_CONNECTION on the simple defaults (file / sync) until migrations have created the sessions, cache, and jobs tables. Switching them too early points the app at tables that do not exist yet and the boot fails. Upgrade to database or redis after the first successful migrate.

Once all three files are in place and the first migrate has run, the web-server layer is what locks everything down.

Next file

With the environment files set, lock down the web server and git — Apache routing, security headers, and a .gitignore that keeps these .env files out of history.