Why an exposed .env is a catastrophe (and how to fix it in a minute)
One file, one request, and an attacker holds the keys to your database and your payment gateway. Why it happens, and how to close it for good.
Your .env file is the quiet centre of most applications. It holds the database connection, the API keys, the secret that signs your sessions. It is built to never leave the server. And it is still one of the most common serious findings I see.
How it happens
A "copy the whole directory to the server" deploy takes .env along with everything else. When the web server then serves static files from the project root, this is what you get:
GET /.env HTTP/1.1
Host: your-site.com
HTTP/1.1 200 OK
Content-Type: text/plain
DATABASE_URL=postgres://user:password@db:5432/app
STRIPE_SECRET_KEY=sk_live_...
One request, and an attacker has a connection to your production database and a live payment key.
Why it's worse than it looks
It isn't just that one file. With DATABASE_URL they read your data and delete it. With STRIPE_SECRET_KEY they see your customers and issue refunds. And because secrets get recycled across environments, one leak often unlocks staging and local too.
The fix
- Never serve the project root. Your webroot is
public/ordist/, not the whole repository. - Block it at the server level — in nginx,
location ~ /\.env { deny all; }. - Rotate every key that was ever exposed. If it leaked, it is compromised, even if it was only for five minutes.
Checking whether your .env is out there takes a second. Not checking can cost you everything.
Zjistěte, co váš web prozrazuje
Spusťte zdarma audit a za půl minuty máte konkrétní nálezy — bez registrace.
Zkontrolovat webČtěte dál
The scanner said the site was clean. Then I read the code.
A deep audit of one platform turned up 40 issues — four of them critical. Not one of the four would show up on an automated scan. Here's why, and what it means for your site.
17. července 2026
The security headers your site is probably missing
A handful of HTTP response headers switch off whole classes of attack — and cost nothing but a few lines of config. Here's what each one does, in plain language.
16. července 2026