criticalExposed Secrets

.env File Accessible Publicly or Committed to Git

What Is This Vulnerability?

The .env file, which typically stores database credentials, API keys, and other secrets, has been committed to version control or is accessible through a public web server. This exposes every secret in the file to anyone who can view the repository or request the file URL.

Why It Happens

Developers create .env files locally and forget to add them to .gitignore before making their first commit. Some web server configurations serve static files from the project root, making .env accessible via a direct HTTP request. Starter templates sometimes include example .env files that get committed accidentally.

Example Code

Vulnerable.env
DATABASE_URL=postgres://admin:s3cretPassw0rd@db.example.com:5432/myapp
STRIPE_SECRET_KEY=sk_live_4eC39HqLyjWDarjtT1zdp7dc
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
JWT_SECRET=super-secret-jwt-signing-key-2024
Fixed.gitignore
# Environment files with secrets
.env
.env.local
.env.production
.env.*.local

# Include a template without real values
# !.env.example

How Hackers Exploit It

Attackers use tools like dirsearch and gobuster to probe web servers for common filenames including .env. On GitHub, simple searches for committed .env files surface thousands of results. Once found, the attacker gains access to every service credential stored in the file, often including database, payment, and cloud provider access.

How to Fix It

Add .env to .gitignore before your first commit. If the file was already committed, remove it from tracking with git rm --cached .env, then rotate every secret that was exposed. Configure your web server to deny requests for dotfiles. Use a secrets manager for production deployments instead of relying on .env files.

Frequently Asked Questions

How can I check if my .env file is committed to git?
Run git ls-files .env in your repository. If it returns .env, the file is tracked. Remove it with git rm --cached .env, add .env to .gitignore, and commit the change. Then rotate all secrets that were in the file.
Is .env.example safe to commit?
Yes, as long as it contains only placeholder values and no real secrets. Use entries like DATABASE_URL=your-database-url-here so other developers know which variables to set without exposing actual credentials.
Can my .env file be accessed through my web server?
Yes, if your web server serves files from the project root or a parent directory. Test by navigating to https://yoursite.com/.env in a browser. Configure your server to block requests for dotfiles using rules in nginx, Apache, or your CDN.
Should I encrypt my .env file?
For local development, encryption is usually unnecessary if the file is gitignored. For CI/CD and production, use your platform's native secrets management (such as GitHub Actions secrets, Vercel environment variables, or AWS Secrets Manager) rather than encrypted .env files.

Related Security Topics

JWT Signing Secret Hardcoded in Application Source

Learn about jwt signing secret hardcoded in application source and how to fix it.

AWS Access Keys Committed to Source Code

Learn about aws access keys committed to source code and how to fix it.

GitHub Personal Access Token Leaked in Code

Learn about github personal access token leaked in code and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by .env file accessible publicly or committed to git.