Please add in apache2.conf by default:
# The following lines prevent .env files from being
# viewed by Web clients.
Require all denied
Laravel use this file for configuration and some developers forget to disbale access to this file from an htaccess file. In this .env file, sometimes SMTP and database settings are stored.