← Back to glossary

Twelve-Factor App

architecture PHP 5.0+ Intermediate

Also Known As

12-factor app twelve factor methodology 12factor

TL;DR

A methodology for building scalable, maintainable SaaS applications using twelve best practices for configuration, processes, and services.

Explanation

The Twelve-Factor App methodology (Heroku, 2011) defines: I. Codebase (one repo), II. Dependencies (declared, isolated), III. Config (in environment), IV. Backing services (attached resources), V. Build/release/run (strict separation), VI. Processes (stateless), VII. Port binding (self-contained), VIII. Concurrency (scale-out), IX. Disposability (fast startup/graceful shutdown), X. Dev/prod parity, XI. Logs (treated as event streams), XII. Admin processes. For PHP, Factor III (config in environment) and Factor VI (stateless processes) have the largest security and scalability implications.

Diagram

flowchart TD
    subgraph The 12 Factors
        F1[1 Codebase<br/>one repo] 
        F2[2 Dependencies<br/>explicitly declared]
        F3[3 Config<br/>in environment]
        F4[4 Backing Services<br/>attached resources]
        F5[5 Build Release Run<br/>strict separation]
        F6[6 Processes<br/>stateless]
        F7[7 Port Binding<br/>self-contained]
        F8[8 Concurrency<br/>process model]
        F9[9 Disposability<br/>fast startup]
        F10[10 Dev/Prod Parity<br/>keep similar]
        F11[11 Logs<br/>treat as streams]
        F12[12 Admin Processes<br/>one-off tasks]
    end
style F1 fill:#238636,color:#fff
style F3 fill:#238636,color:#fff
style F6 fill:#1f6feb,color:#fff

Common Misconception

✗ The twelve-factor app is a cloud-native checklist that only applies to microservices. The methodology applies to any web application — monoliths benefit just as much from config in environment variables, stateless processes, and dependency isolation as microservices do.

Why It Matters

The Twelve-Factor methodology provides a portable, scalable application design — applications built to its principles deploy identically to any cloud, scale horizontally without refactoring, and have no dev/production divergence.

Common Mistakes

Storing config in code instead of environment variables — factor III.
Local filesystem state that does not survive container restarts — factor VI (stateless processes).
Admin tasks (migrations, scripts) run inside the web server process — factor XII (run admin as one-off processes).
Hardcoded service URLs instead of environment-variable-configured backing services — factor IV.

Code Examples

✗ Vulnerable

// Violates factor III — config in code:
define('DB_HOST', 'db.prod.internal'); // Should be: getenv('DB_HOST')
define('API_KEY', 'sk-prod-abc123');    // Should be: getenv('API_KEY')

// Violates factor VI — filesystem state:
file_put_contents('/tmp/user_sessions/' . $id, $data); // Lost on restart

✓ Fixed

# Key factors and PHP implications:

# I — Codebase: one repo, deploy to many envs via env vars
# II — Dependencies: composer.json, no system-wide packages
composer install --no-dev

# III — Config: env vars, never hardcoded
\$dsn = sprintf('pgsql:host=%s;dbname=%s', \$_ENV['DB_HOST'], \$_ENV['DB_NAME']);

# VI — Processes: stateless — no local filesystem writes
# Upload files → S3, sessions → Redis (not filesystem)
ini_set('session.handler', 'redis');

# VII — Port binding: PHP-FPM binds to a port, nginx proxies
# IX — Disposability: fast startup (OPcache), graceful shutdown
# XI — Logs: write to stdout, let platform aggregate
error_log = /dev/stderr  ; in php.ini

References

↗ https://12factor.net/

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,445 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

Perplexity 11 Amazonbot 9 Google 7 Unknown AI 3 Ahrefs 2 SEMrush 2

Also referenced

Microservices 36 DevOps 35 Hardcoded Credentials 33 Continuous Deployment (CD) 30

How they use it

crawler 32 crawler_json 1 pre-tracking 1

Related categories

security 4.2k architecture 1.9k devops 1.1k

⚡ DEV INTEL Tools & Severity

🟡 Medium ⚙ Fix effort: High

⚡ Quick Fix

Audit your PHP app against the 12 factors: config in env vars, stateless processes, admin tasks as one-off processes, logs to stdout — start with the three most impactful: config, processes, logs

📦 Applies To

PHP 5.0+ web cli queue-worker

🔗 Prerequisites

Cloud-Native Patterns Containerisation (Docker for PHP) Continuous Deployment (CD)

🔍 Detection Hints

Config in code not env vars; session on local disk; logs written to file not stdout; dev/prod parity gap; manual scaling

Auto-detectable: ✗ No semgrep dockerlint

⚠ Related Problems

environment drift scaling issues deployment complexity

🤖 AI Agent

Confidence: Low False Positives: High ✗ Manual fix Fix: High Context: File Tests: Update