.env File Exposed
Your .env file is publicly accessible - anyone can read your database passwords, API keys, and other secrets.
critical severityWhat is this?
A .env file is where most apps store sensitive configuration: database credentials, API keys, payment processor secrets, OAuth tokens. It's meant to live on your server only - never served to the web. When your deployment accidentally serves your project root directory (instead of just the build output), /.env becomes publicly accessible to anyone who asks for it.
Automated bots scan millions of domains daily looking for exposed .env files. Once found, credentials are extracted and exploited within minutes.
Why it matters
- Database breach - your full user database, including passwords, emails, and payment data, can be extracted
- API key abuse - your OpenAI, Stripe, AWS, or other service keys are used to run up charges or steal data
- Complete account takeover - any service credential in your .env can be used immediately
- Automated exploitation - this happens within minutes of exposure, not hours
How to fix it
- Immediately rotate all credentials in your .env - assume they've been compromised
- Fix your deployment to serve only the build output folder:
Providers & tools
| Framework | Build output directory |
|---|---|
| Next.js | .next/ - Vercel/Netlify handle this automatically |
| Vite / React | dist/ - set this as your publish directory |
| Create React App | build/ |
| Astro | dist/ |
| Hugo | public/ |
In Nginx: set your root directive to point to the build output folder, not the project root.
In Vercel/Netlify: if you deployed the root directory by mistake, check your project's "Output Directory" setting in the dashboard.
Check if your domain has this issue