Critical severity

How to fix an exposed .env file on your deployed site

Your .env file is reachable from the public internet. This is the worst-case scenario: .env files hold database passwords, API keys, Stripe secrets, and service-role tokens. Anyone who finds it can impersonate your backend. The fix depends on where it is served from — usually it means adding `.env*` to your static-host ignore list or redeploying without the file in your build output. Rotate every secret immediately.

Why it matters

Attackers run automated scanners against every new domain for `/.env`, `/.env.local`, `/.env.production`. If you shipped one by accident, someone has found it within hours. Every secret inside is compromised — no exceptions.

How to check

  1. 01Open `https://your-site.com/.env` in a browser.
  2. 02If you see key=value pairs, the file is public.
  3. 03Try `/.env.local`, `/.env.production`, `/api/.env`.
  4. 04Also check for `/config.json`, `/credentials.json`, `/secrets.json`.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Vercel / Next.js

Vercel ignores `.env*` by default. If yours is exposed, you probably committed it to `/public/` or have a custom build that copies it into the deployment. Remove it, redeploy, rotate secrets.

# .gitignore and .vercelignore should contain:
.env
.env.*
!.env.example

Lovable

Lovable sometimes writes env vars to files in the public directory when it doesn't have a proper env system. Search your project for files containing your API keys and delete them. Move secrets to Lovable's env var UI.

Generic static host

Most static hosts serve anything in the deployed directory. Check your build output. If .env is in it, your build is copying files it should not.

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

My deployed app has a .env file accessible at https://my-site.com/.env. Find where it is being copied into the build or deployment and remove it. Then search my codebase for every secret in that file (database URL, API keys, service role tokens, Stripe keys) and tell me which ones I need to rotate. Also update .gitignore, .vercelignore, and any build config to exclude .env files going forward.

FAQ

Frequently asked questions

I rotated the leaked keys. Am I safe?
Mostly. Check your logs for any activity using the old keys — if someone used them, they may have created persistence (new user accounts, webhook URLs, storage buckets). Audit access lists on every service whose key was leaked.
Why does this keep happening with AI-built apps?
AI tools sometimes treat .env as regular config and write it to the source tree, or build tooling copies everything in the project root to the output. The fix is always: env vars live in the host's env UI, never in a file shipped to production.

Related fix guides

Fix these too

Exposed .git directory

An exposed .git directory lets attackers download your entire source history, including deleted secrets. Here is how to check and fix it.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed Supabase service key

The service role key bypasses all security in Supabase. If it is in your client code, an attacker has full database access. Here is how to find and fix it.

Read more

Learn the concepts

Glossary

Security Headers

A set of HTTP response headers that harden your site against common web attacks. Every site should send all six.

Read more

Free tools

Check this yourself

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.

Read more

Platform guides

Building on these platforms?

Lovable security

Lovable makes it easy to ship fast, but AI-generated backends often ship with open Supabase tables and leaked API keys. Scan your Lovable app before your users find out.

Read more

Bolt security

Bolt generates full-stack apps in seconds, but speed can leave security gaps. Exposed environment files and missing CORS configuration are common in Bolt projects.

Read more

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Read more

Next.js security

Next.js is the most popular React framework, but even experienced developers miss security headers and accidentally expose server files in production.

Read more

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.