Dotenv .env file
Description
A dotenv configuration file (.env) has been detected and is publicly accessible. Dotenv files are commonly used in development environments to store environment variables such as database credentials, API keys, encryption secrets, and other sensitive configuration data.
When these files are exposed on production systems or accessible via web requests, they create a significant security risk by revealing sensitive information that should remain confidential. This exposure typically occurs due to misconfigured web servers or improper deployment practices that fail to exclude development files from production environments.
Remediation
Take immediate action to secure or remove exposed .env files from production environments:
1. Remove the file from publicly accessible directories: Delete .env files from production systems or move them outside the web root directory.
2. Configure web server access restrictions: Add rules to block access to .env files. For Apache, add to .htaccess:
<FilesMatch "^\.env">
Require all denied
</FilesMatch>For Nginx, add to server configuration:location ~ /\.env {
deny all;
return 404;
}3. Use environment variables directly: In production, set environment variables through your hosting platform or server configuration rather than using .env files.4. Rotate compromised credentials: If the file was exposed, treat all contained credentials as compromised and rotate them immediately.
5. Implement deployment safeguards: Add .env to .gitignore and use deployment scripts that exclude development configuration files from production builds.