| Practice | Why it matters | |----------|----------------| | | Use .gitignore to exclude it from version control. | | Use environment variable management tools | Tools like Doppler, HashiCorp Vault, or AWS Secrets Manager. | | Restrict web access | Configure your web server to block .env files (e.g., in .htaccess or Nginx rules). | | Rotate credentials regularly | Change passwords and SMTP credentials after any potential exposure. | | Monitor search engine indexes | Use services like Google Search Console to find and request removal of exposed files. |
The attacker clones the repo, finds the database exposed on port 3306, and imports the data within minutes. db-password filetype env gmail
We live in an era where developers are expected to move fast, but moving fast often leads to committing .env files to public repos or leaving backup files in web roots. Remember: If your database password and your Gmail address appear together in an indexed text file, assume a bot has already read it. | Practice | Why it matters | |----------|----------------|
DB_HOST=mysql-5.alwaysdata.net DB_DATABASE=startup_prod DB_USERNAME=admin_root DB_PASSWORD=SuperSecure2024! MAIL_HOST=smtp.gmail.com MAIL_USERNAME=ceo.startup@gmail.com MAIL_PASSWORD=AppPassword123 | | Rotate credentials regularly | Change passwords
This is the key (variable name) inside the .env file. Developers use various naming conventions, such as: