Learn how to rotate your Laravel APP_KEY safely. Covers manual rotation, key rings with old keys, side effects, and when to drop old keys.
Laravel’s APP_KEY isn’t just another config value—it’s the root cryptographic key for your app. It encrypts sessions and cookies, and it signs URLs generated by your app.
If that key leaks, an attacker can forge cookies, hijack sessions, or decrypt sensitive blobs. Unfortunately, many teams generate it once and never touch it again. That’s not sustainable, and it’s a recipe for hidden risk.
continue reading on ghostable.dev
⚠️ This post links to an external website. ⚠️
If this post was enjoyable or useful for you, please share it! If you have comments, questions, or feedback, you can email my personal email. To get new posts, subscribe use the RSS feed.