This is probably a dumb question for some people and I'm probably gonna get some down votes but I need to know.
How to secure passwords (sensitive info) for production mode in Symfony 4.2?
I thought when I compile composer dump-env prod it's gonna be secured and not visible to public but if I run phpinfo(); I can see all my passwords in plain text ...
DATABASE_URL
MAILER_URL
Should I store them in services.yaml as before under parameters?
But then why we even have .env file?
Or I shouldn't be bothered about that as soon as none has access to the CLI of my server?
The most common and safe'ish way i know of to store passwords in production, is to use environment variables. Writing passwords in .env or other files in the application repo can lead to accidental leaks through commits to GitHub, code sharing etc.
The .env file is an easy way to make environment variables and should mainly be used for local development.
In production you would create environment variables manually on the host and/or through something like the apache/nginx config, docker, kubernetes secrets etc.
The public should never have access to see phpinfo() or your environment variables.