← All checks

Exposed .env Files

High severity

What is this?

Environment files (.env) store configuration that should never be public: database passwords, API keys, secret tokens, payment processor credentials, and third-party service secrets. When your web server serves these files to anyone who requests them, every secret in that file is compromised instantly.

Why it happens

The most common cause is deploying your entire project directory to a web server without restricting which files are served. This happens with raw cp or rsync deployments, Docker containers that copy the full project into the web root, or simply forgetting to configure your web server to block dotfiles. Some developers also commit .env files to git and deploy the full repository to production.

What's at risk

A leaked .env file typically gives attackers direct access to your database, email service, payment processor, and any third-party API your app uses. This means full database takeover, financial loss from abused payment keys, mass email sending through your accounts, and complete compromise of any service those API keys can access.

How to check

The simplest manual check: open your browser and visit yoursite.com/.env. If you see key-value pairs with passwords and tokens, it is exposed. You should also check common variants like .env.local, .env.production, and .env.backup.

How to fix

Block all dotfiles at the web server level. This is the most reliable fix because it protects against any dotfile, not just .env.

Nginx:

location ~ /\. {
    deny all;
    return 404;
}

Apache (.htaccess):

<FilesMatch "^\.">
    Require all denied
</FilesMatch>

Platforms like Vercel and Netlify block dotfiles by default. If you are deploying to bare servers, always configure this explicitly. As a general rule, never place .env files inside your web-accessible root directory.

How Preflyt detects it

Preflyt checks common .env file paths and variants (.env, .env.local, .env.production, .env.backup) and verifies whether the response contains sensitive configuration data like key-value pairs with passwords or tokens, rather than an error page or HTML content.

Frequently asked questions

Can exposed .env files be indexed by Google?

Yes. Google and other search engines can discover and index .env files if they are publicly accessible. Once indexed, your secrets appear in search results. Even after fixing the exposure, cached versions may persist in search indexes for weeks.

How do I block .env access in Nginx?

Add location ~ /\. { deny all; return 404; } to your Nginx server block. This blocks all dotfiles, not just .env. Reload Nginx after making changes.

Does deleting .env from git history fix the problem?

Deleting the file from git history removes it from future clones, but anyone who already cloned the repo still has it. You must also rotate every secret that was exposed - treat all credentials in that file as compromised.

Related checks

Exposed .git DirectoryFull source code history downloadable by anyone.Unprotected Admin PanelsAdmin dashboards accessible without authentication.
Check your site now

Free scan. No signup required.