Critical severity · Vercel

Exposed .env file on Vercel

Your .env file is reachable from the public internet. This is the worst-case scenario: .env files hold database passwords, API keys, Stripe secrets, and service-role tokens. Anyone who finds it can impersonate your backend. The fix depends on where it is served from — usually it means adding `.env*` to your static-host ignore list or redeploying without the file in your build output. Rotate every secret immediately.

The fix for Vercel

Vercel / Next.js

Vercel ignores `.env*` by default. If yours is exposed, you probably committed it to `/public/` or have a custom build that copies it into the deployment. Remove it, redeploy, rotate secrets.

# .gitignore and .vercelignore should contain:
.env
.env.*
!.env.example

Why it matters

Attackers run automated scanners against every new domain for `/.env`, `/.env.local`, `/.env.production`. If you shipped one by accident, someone has found it within hours. Every secret inside is compromised — no exceptions.

Confirm the fix worked

Scan your Vercel site to confirm this finding is gone.

AI prompt

Apply across your codebase

Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.

My deployed app has a .env file accessible at https://my-site.com/.env. Find where it is being copied into the build or deployment and remove it. Then search my codebase for every secret in that file (database URL, API keys, service role tokens, Stripe keys) and tell me which ones I need to rotate. Also update .gitignore, .vercelignore, and any build config to exclude .env files going forward.

FAQ

Frequently asked questions

I rotated the leaked keys. Am I safe?
Mostly. Check your logs for any activity using the old keys — if someone used them, they may have created persistence (new user accounts, webhook URLs, storage buckets). Audit access lists on every service whose key was leaked.
Why does this keep happening with AI-built apps?
AI tools sometimes treat .env as regular config and write it to the source tree, or build tooling copies everything in the project root to the output. The fix is always: env vars live in the host's env UI, never in a file shipped to production.

Related fix guides

Fix these too

Exposed .git directory

An exposed .git directory lets attackers download your entire source history, including deleted secrets. Here is how to check and fix it.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Exposed Supabase service key

The service role key bypasses all security in Supabase. If it is in your client code, an attacker has full database access. Here is how to find and fix it.

Read more

Concepts

Glossary

Security Headers

A set of HTTP response headers that harden your site against common web attacks. Every site should send all six.

Read more

Free tools

Spot-check this

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.

Read more