On the Laravel News site they've posted an article with some reminders about installing Laravel in a subfolder including "hiding" your .env file.

If you are new to Laravel you might not be familiar with its directory structure and the reasons why it’s setup the way it is. If you look at the main repository it’s setup like this, and the documentation covers what each of these folders handles.

What is important here is the “public” folder. That is the ONLY directory you want to be exposed through the web. Everything else should be outside of your web root, this way people can’t access any of your important files through the browser.

He gives an example of an instance where a site was in a subfolder and, just by changing the URL, he was able to locate (and view!) the .env file complete with sensitive information. The rest of the post gives instructions on installing it in a subfolder, moving around a few folders and updating the front controller to change the autoload and bootstrap locations.