My app works with empty APP_KEY - is it ok?

Today I move my app to another server and forgot to generate APP_KEY, so it empty.

To my surprise, everythings starts and works ok. However, as I understand, it should push exception, isnt it?


Yes, it is normal that your application is working without having APP_KEY generated.

It is normal but not a safe practice because without it, the tokens that your application may generate to authenticate the user will be stored in plain form, not encrypted. Hence you are enhancing the attack surface.