The .env file containing API keys, database credentials, and secrets is publicly accessible at the production URL.
Add .env to .gitignore AND your deploy tool's ignore list. Rotate every secret in the file immediately.
Security Scanner automatically checks for this issue as part of its 70+ module scan. Try it free — no signup needed for the quick scan.
Check your app now →