Exposed .env files: how attackers find your secrets
An .env file holds database passwords, API keys, and signing secrets. If it's reachable over the web — at /.env, /.env.production, or a backup like /.env.backup — anyone can download it and take over your services.
What it is
Environment files are meant to stay on the server and never be served to clients. A misconfigured static handler, a stray copy in the web root, or a framework that serves dotfiles can expose them.
Attackers don't guess — they run automated scans that request /.env and dozens of variants against millions of hosts continuously. A reachable file is found within hours.
Why it matters
These files routinely contain production database URLs, Stripe secret keys, JWT signing secrets, and cloud credentials. One leak can mean full data theft, fraudulent charges, and account takeover.
Because the secrets are valid until rotated, the damage continues long after the file is removed unless you rotate everything it contained.
How to fix it
Deny access to .env and other dotfiles in your web server or proxy config.
location ~ /\.(?!well-known).* {
deny all;
return 404;
}Store configuration outside any directory the server serves statically, and make sure your build doesn't copy .env files into the published output.
If a file was ever reachable, treat every secret in it as compromised and rotate database passwords, API keys, and tokens immediately.
FAQ
I removed the file — am I safe?
Not until you rotate the secrets. Anyone who downloaded it still holds valid credentials until you change them.
How would I know if mine is exposed?
Request https://yourdomain.com/.env in a browser. If you see KEY=value lines instead of a 404, it's exposed. AppSafe checks this automatically.
Is your app affected?
AppSafe checks for this and dozens of other issues in one free scan.
Scan my app free